chore: upgrade @fastify/jwt to 9.1.0

[dkhaye]

In this PR

• New tests (non-breaking change that adds compatibility coverage)
• Documentation (non-breaking change that documents the new tests)

Issues reference

• N/A

Checklist

• Checked there are no duplicate PRs for this change
• Linted locally with pnpm lint
• Explained what the changes do and why they're needed
• Wrote new tests for core changes
• Built locally with pnpm build
• Tested locally with pnpm test
• Committed using Conventional Commits

Summary

Adds comprehensive JWT compatibility tests to validate that upgrading @fastify/jwt from 9.0.1 to 9.1.0 is safe for this project. Tests exercise the plugin as used here (including JWKS-based verification, scope handling, and error behavior) without referencing package versions, ensuring forward compatibility for future upgrades. Also adds documentation describing how to run and interpret the new tests.

What changed

• Tests
  • Added test/jwt-compatibility.ts:
    • Validates plugin registration and config errors (missing JWKS_URL)
    • Verifies token decoding and formatUser behavior (with and without scope)
    • Ensures read/write scope authorization works and denies when missing
    • Covers malformed/invalid tokens and auth header edge cases
    • Exercises integration with artifact upload/download/HEAD
    • Confirms issuer/audience matching when configured
• Docs
  • Added docs/jwt-compatibility-testing.md explaining:
    • What's covered by the tests
    • How to run them and troubleshoot failures
    • Why this protects future plugin upgrades

Why this is needed

• Confirms that moving from @fastify/jwt 9.0.1 → 9.1.0 does not change behavior in this codebase
• Provides a safety net for future @fastify/jwt upgrades by testing usage patterns rather than versions
• Ensures compatibility with JWKS verification via fastify-jwt-jwks and scope-based access checks

How to verify locally

• Run only the new tests:

pnpm test jwt-compatibility.ts

• Run the full suite:

pnpm test

• Build and type-check:

pnpm run build
pnpm run check:types

Notes on compatibility

• The tests validate the behavior expected by this repo's integration:
  • JWT validation via JWKS (mocked with mock-jwks)
  • Optional issuer/audience matching
  • Scope-based route authorization for read/write
  • Consistent error handling for auth header issues and invalid tokens

These assertions are stable and independent of specific @fastify/jwt versions, so they will continue to guard behavior as the dependency evolves.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	commitlint-plugin-function-rules@​4.0.1 ⏵ 4.0.2	+1			-2
	@​types/​node@​20.17.51 ⏵ 20.19.11	+1		+1
	tsx@​4.19.4 ⏵ 4.20.4	+8		+1
	@​aws-sdk/​lib-storage@​3.817.0 ⏵ 3.864.0				-1
	typescript@​5.8.3 ⏵ 5.9.2	+1		+1
	pino-pretty@​13.0.0 ⏵ 13.1.1	+1
	pino@​9.7.0 ⏵ 9.9.0	+1
	@​fastify/​jwt@​9.0.1 ⏵ 9.1.0				+6
	@​semantic-release/​github@​11.0.3 ⏵ 11.0.4	+1			-1
	@​aws-sdk/​client-s3@​3.817.0 ⏵ 3.864.0				-1
	semantic-release@​24.2.5 ⏵ 24.2.7	+1
	@​semantic-release/​npm@​12.0.1 ⏵ 12.0.2	+1			+2
	@​azure/​storage-blob@​12.27.0 ⏵ 12.28.0	+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		@azure/[email protected] has URL strings. URLs: https://storage.azure.com/.default, https://disk.compute.azure.com/.default, Microsoft.Storage Location: Package overview From: package.json → npm/@azure/[email protected] ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@azure/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@azure/[email protected] has URL strings. URLs: Microsoft.Storage Location: Package overview From: pnpm-lock.yaml → npm/@azure/[email protected] → npm/@azure/[email protected] ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@azure/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@fastify/[email protected] has a New author. New Author: eomm Previous Author: gurgunday From: pnpm-lock.yaml → npm/@fastify/[email protected] → npm/[email protected] → npm/@fastify/[email protected] ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@fastify/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has URL strings. URLs: http://cobertura.sourceforge.net/xml/coverage-04.dtd, lcov.info, https://istanbul.js.org/ Location: Package overview From: pnpm-lock.yaml → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 4 more rows in the dashboard

View full report