Skip to content

fastify transitive vulnerability with repack #1341

New issue
New issue
Open
Open
fastify transitive vulnerability with repack#1341
Labels
status:newNew issue, not reviewed by the team yet.type:bugA bug report.
@deepmohan

Description

@deepmohan
deepmohan
opened on Feb 3, 2026

Describe the bug

The dependency of repack, @callstack/repack-dev-server, has in turn, dependency with fastify version 4.29.1. New HIGH vulnerability(CVE-2026-25223) has been identified with fastify and has to be upgraded to the version 5.7.2 or beyond.

System Info

Node:
    version: 22.14.0
   
  npm:
    version: 11.3.0

Re.Pack Version

5.2.1

Reproduction

https://github.com/callstack/repack

Steps to reproduce

Install node, pnpm

execute pnpm why fastify should produce output as below

@callstack/repack 5.2.1
└─┬ @callstack/repack-dev-server 5.2.1
└── fastify 4.29.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:newNew issue, not reviewed by the team yet.type:bugA bug report.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions