What's Changed

• docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in #6546
• Revert "chore: upgrade borp to v1.0.0" by @climba03003 in #6564
• docs: document body validation with custom content type parsers by @mcollina in #6556
• docs(ecosystem): add fastify-file-router by @bhouston in #6441
• docs: add fastify-svelte-view to Ecosystem list by @matths in #6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in #6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in #5661
• docs(guides): update codemod links by @OluchiEzeifedikwa in #6479
• docs: add @glidemq/fastify to community plugins by @avifenesh in #6560

New Contributors

• @yeliex made their first contribution in #6546
• @matths made their first contribution in #6453
• @leftieFriele made their first contribution in #5661
• @OluchiEzeifedikwa made their first contribution in #6479
• @avifenesh made their first contribution in #6560

Full Changelog: v5.8.1...v5.8.2

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: v5.8.0...v5.8.1

What's Changed

• docs(request): add host security warning references by @mcollina in #6476
• docs: fix note style by @Fdawgs in #6487
• chore: rename deploy website ci by @Eomm in #6492
• chore: support pino v9 and v10 by @mcollina in #6496
• chore: update logger types and fix TODO comment by @Tony133 in #6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @Tony133 in #6472
• docs: fix markdown typo in README.md by @droppingbeans in #6491
• test: cover non-numeric content-length client error path by @mcollina in #6500
• ci: remove tests-checker workflow by @Tony133 in #6481
• ci: remove stale.yml file by @Tony133 in #6504
• docs(security): remove hackerone references; change note style by @Fdawgs in #6501
• chore: rename @sinclair/typebox to typebox by @Tony133 in #6494
• ci(links-check): add external link checker using linkinator-action by @umxr in #6386
• chore: upgrade borp to v1.0.0 by @Tony133 in #6510
• docs: Add OpenJS CNA reference to SECURITY.md by @mcollina in #6516
• fix: avoid mutating shared routerOptions across instances by @mcollina in #6515
• fix(types): accept async route hooks in shorthand options by @mcollina in #6514
• docs: Improve shutdown lifecycle documentation by @kibertoad in #6517
• chore: remove unused tsconfig.eslint.json by @mrazauskas in #6524
• feat: First-class support for handler-level timeouts by @kibertoad in #6521
• docs(security): clarify insecureHTTPParser threat model scope by @mcollina in #6533
• chore(license): standardise license notice by @Fdawgs in #6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @slegarraga in #6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @super-mcgin in #6528
• docs(reference/hooks): fix note style by @Fdawgs in #6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @dependabot[bot] in #6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @dependabot[bot] in #6542
• ci: remove broken links and add ecosystem link validator by @mcollina in #6421
• ci(validate-ecoystem-links): add job level permission by @Fdawgs in #6545
• style: remove trailing whitespace by @Fdawgs in #6543

New Contributors

• @droppingbeans made their first contribution in #6491
• @umxr made their first contribution in #6386
• @slegarraga made their first contribution in #6531
• @super-mcgin made their first contribution in #6528

Full Changelog: v5.7.4...v5.8.0

Full Changelog: v5.7.3...v5.7.4

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @mcollina in #6466
• chore: ignore agents config files by @mcollina in #6474
• docs: update vulnerability reporting to use GitHub Security by @mcollina in #6475

Full Changelog: v5.7.2...v5.7.3

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @climba03003 in #6447
• chore: update sponsor url by @Eomm in #6450
• docs: add fastify-http-exceptions to Ecosystem.md by @bhouston in #6442
• docs: fix invalid shorten form schema example by @climba03003 in #6448
• docs: Simplify and tighten decorators example by @smith558 in #6451
• docs: Fix incorrect variable use by @smith558 in #6455
• chore: update sponsor link by @Eomm in #6460
• fix: Fix MIT Licence file to conform to standard by @smith558 in #6464
• docs: move querystringParser option under routerOptions by @inyourtime in #6463
• chore: Updated content-type header parsing by @jsumners in #6414

New Contributors

• @bhouston made their first contribution in #6442

Full Changelog: v5.7.1...v5.7.2

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @dependabot[bot] in #6434
• chore: updated version in the fastify.js by @Tony133 in #6446

Full Changelog: v5.7.0...v5.7.1

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @alexandercerutti in #6380
• docs: update migration guide with date-time breaking change by @craftsman01 in #6110
• chore: remove test file by @Eomm in #6384
• feat: speed up loading with custom compiler by @Eomm in #6383
• docs: replace all instances of twitter.com with x.com by @cseas in #6355
• docs: correct logger option in example by @inyourtime in #6391
• docs: fix links by @Shriti507 in #6394
• chore: skip unnecessary object creation by @Eomm in #6400
• docs: Update JSON Schema link in documentation by @jon23d in #6402
• docs(ecosystem): add fastify-ses-mailer by @KaranHotwani in #6395
• docs: add security note about validation errors in response by @mcollina in #6407
• docs: add security threat model by @mcollina in #6406
• chore: update onboarding and offboarding instructions by @Eomm in #6403
• fix: set status code before publishing diagnostics error channel by @tt-a1i in #6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @mcollina in #6420
• chore: fix type test by @mrazauskas in #6418
• docs: improve Validation-and-Serialization.md by @twentytwo777 in #6423
• test: skip IPv6 test if its support is not present by @LiviaMedeiros in #6428
• test: fix test when localhost has multiple addresses by @LiviaMedeiros in #6427
• docs: add security warning for requestIdHeader by @mcollina in #6425
• docs(ecosystem): add elements-fastify by @rohitsoni007 in #6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @dependabot[bot] in #6436
• chore: Bump @types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @dependabot[bot] in #6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @AnkanMisra in #6392
• fix(types): require send() payload when Reply type is specified by @tt-a1i in #6432
• fix: ajv options type validation by @gianmarco27 in #6437
• docs: add non-vulnerability examples to threat model by @RafaelGSS in #6431
• feat: implement conditional request logging by @kibertoad in #5732
• docs(sponsor): add serpapi by @Eomm in #6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @mcollina in #6444

New Contributors

• @craftsman01 made their first contribution in #6110
• @cseas made their first contribution in #6355
• @Shriti507 made their first contribution in #6394
• @jon23d made their first contribution in #6402
• @KaranHotwani made their first contribution in #6395
• @tt-a1i made their first contribution in #6412
• @mrazauskas made their first contribution in #6418
• @twentytwo777 made their first contribution in #6423
• @rohitsoni007 made their first contribution in #6416
• @AnkanMisra made their first contribution in #6392
• @gianmarco27 made their first contribution in #6437

Full Changelog: v5.6.2...v5.7.0

What's Changed

• refactor: rename source file names with kebab-case by @jean-michelet in #6331
• ci(ci): check dependabot prs originate from repo by @Fdawgs in #6330
• fix: accept htab ows by @jean-michelet in #6303
• fix: handle non FastifyErrors in custom handler properly, set type of error-parameter for setErrorHandler and errorHandler to unknown, but configurable via generic TError by @Uzlopak in #6308
• build(deps-dev): remove @fastify/pre-commit by @Fdawgs in #6319
• ci: improve citgm workflows by @Uzlopak in #6334
• docs: explain stream error handling by @lundibundi in #5746
• fix: error throwing in reply by @juanlet in #6299
• refactor: delegate options processing to a dedicated function by @jean-michelet in #6333
• ci: remove label of citgm only on pull_request.labeled, add options for workflow_dispatch by @Uzlopak in #6335
• chore: Bump actions/checkout from 4 to 5 by @dependabot[bot] in #6343
• chore: Bump joi from 17.13.3 to 18.0.1 by @dependabot[bot] in #6347
• chore: Bump lycheeverse/lychee-action from 2.4.1 to 2.6.1 by @dependabot[bot] in #6345
• chore: Bump actions/dependency-review-action from 4.7.1 to 4.8.0 by @dependabot[bot] in #6344
• chore: Bump actions/labeler from 5 to 6 by @dependabot[bot] in #6341
• chore: Bump actions/setup-node from 4 to 5 by @dependabot[bot] in #6342
• chore: Bump actions/github-script from 7 to 8 by @dependabot[bot] in #6340
• docs: mention that addHttpMethod override existing methods by @jean-michelet in #6350
• chore: remove reference to simple-get by @ilteoood in #6353
• chore: remove commented tests by @ilteoood in #6352
• fix: respect child logger factory in fastify options by @cysp in #6349
• docs(ecosystem): adding attaryz/fastify-devtools to community plugins by @attaryz in #6339
• docs: remove ambiguity from statement by @udohjeremiah in #6360
• chore: add @fastify/sse as fastify core plugin to documentation and citgm by @manshusainishab in #6364
• docs(guides/fluent-schema): replace last nb usage by @Fdawgs in #6365
• style(ci): remove whitespace from concurrency group by @Fdawgs in #6366
• docs: Fix broken link to TypeBox doc website wrt AJV setup by @melroy89 in #6367
• docs(reference/plugins): mention async plugins by @Fdawgs in #6357
• chore: add max-len ESLint rule with 120 character limit by @emicovi in #6221
• chore: Bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @dependabot[bot] in #6374
• chore: Bump pino from 9.14.0 to 10.1.0 in the dependencies-major group by @dependabot[bot] in #6378
• chore: Bump pnpm/action-setup from 4.1.0 to 4.2.0 by @dependabot[bot] in #6375
• chore: Bump tsd from 0.32.0 to 0.33.0 in the dev-dependencies-typescript group by @dependabot[bot] in #6346
• chore: Bump lycheeverse/lychee-action from 2.6.1 to 2.7.0 by @dependabot[bot] in #6377
• fix: handle web stream payload in HEAD route by @orionmiz in #6372
• chore: Bump actions/setup-node from 5 to 6 by @dependabot[bot] in #6376
• chore: Bump borp from 0.20.2 to 0.21.0 by @dependabot[bot] in #6379
• fix: parse ipv6 hostname by @jean-michelet in #6373
• fix: consistent error handling for custom validators in async validation contexts by @emicovi in #6247

New Contributors

• @juanlet made their first contribution in #6299
• @cysp made their first contribution in #6349
• @attaryz made their first contribution in #6339
• @udohjeremiah made their first contribution in #6360
• @manshusainishab made their first contribution in #6364
• @orionmiz made their first contribution in #6372

Full Changelog: v5.6.1...v5.6.2

What's Changed

• fix: fix typo of deprecation warning FSTDEP022 by @Uzlopak in #6313
• docs(decorators): fix TypeScript inconsistency by @emicovi in #6224
• chore: fix typos by @deining in #6316
• docs(security): add secondary contact/security escalation policy by @UlisesGascon in #6315
• chore(gha): remove benchmark github workflows by @Eomm in #6322
• chore(sponsor): add lambdatest by @Eomm in #6324
• fix: (types) allow FastifySchemaValidationError[] as an error by @gurgunday in #6326
• fix: correct session.close() context in http2 timeout handler by @David-van-der-Sluijs in #6327
• fix: close http2 sessions on close server by @kostyak127 in #6137

New Contributors

• @deining made their first contribution in #6316
• @UlisesGascon made their first contribution in #6315
• @David-van-der-Sluijs made their first contribution in #6327
• @kostyak127 made their first contribution in #6137

Full Changelog: v5.6.0...v5.6.1