chore: bump fastify from 5.8.4 to 5.8.5 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: fastify.

Updates fastify from 5.8.4 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

• chore: Fix port parsing by @​jsumners in fastify/fastify#6603
• chore: upgrade to typescript v6.0.2 by @​Tony133 in fastify/fastify#6605
• fix: restore trustProxy function for number and string types, add null check for socketAddr by @​mcollina in fastify/fastify#6613
• ci: reduce cron scheduled workflows from daily/weekly to monthly by @​Fdawgs in fastify/fastify#6623
• chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @​dependabot[bot] in fastify/fastify#6629
• chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @​dependabot[bot] in fastify/fastify#6632
• chore: Bump borp from 0.21.0 to 1.0.0 by @​dependabot[bot] in fastify/fastify#6633
• chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @​dependabot[bot] in fastify/fastify#6630
• docs(ecosystem): add @​pompelmi/fastify-plugin by @​SonoTommy in fastify/fastify#6610

New Contributors

• @​SonoTommy made their first contribution in fastify/fastify#6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

Commits

• 3983cce Bumped v5.8.5
• 3ce3ae6 Merge commit from fork
• b06a196 docs(ecosystem): add @​pompelmi/fastify-plugin (#6610)
• 909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
• 4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
• 0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
• 33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
• fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
• 8dee9be fix: restore trustProxy function for number and string types, add null check ...
• d457aed chore: upgrade to typescript v6.0.2 (#6605)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This is a routine Dependabot security patch bumping fastify from 5.8.4 to 5.8.5 to address CVE-2026-33806 (GHSA-247c-9743-5963), which fixes port parsing and restores the trustProxy function for number/string types with a null check for socketAddr. The package-lock.json also shows prettier and turbo devDependency specifiers normalized from "latest" to "*" — this is a standard npm lock file artifact and has no behavioral impact.

Confidence Score: 5/5

Safe to merge — this is a targeted security patch with no breaking changes and no logic modifications in the project code.

Only two files changed: the fastify version pin and the lock file. This is a patch release (5.8.4 → 5.8.5) that specifically addresses a security CVE. All findings are informational.

No files require special attention.

Important Files Changed

Filename	Overview
apps/api/package.json	Bumps fastify version specifier from ^5.7.4 to ^5.8.5 to pick up the security patch release fixing CVE-2026-33806.
package-lock.json	Updates fastify resolved version from 5.8.4 to 5.8.5 with a new integrity hash; also normalizes root devDependency specifiers for prettier and turbo from "latest" to "*" (npm lock file normalization artifact).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot PR] --> B[fastify 5.8.4 → 5.8.5]
    B --> C{Security Patch}
    C --> D[CVE-2026-33806 fixed]
    D --> E[Restored trustProxy for number/string types]
    D --> F[Added null check for socketAddr]
    D --> G[Fixed port parsing]

Loading

_{Reviews (1): Last reviewed commit: "chore: bump fastify in the npm_and_yarn ..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 2 files