Skip to content

package is pulling in a vulnerable version of fast-redact #7741

New issue
New issue
Open
Bug
#7744
Open
package is pulling in a vulnerable version of fast-redact#7741
Bug
#7744
Labels
security
@G-Rath

Description

@G-Rath
G-Rath
opened on Oct 24, 2025

GHSA-ffrw-9mx8-89p8 impacts all versions of fast-redact, which netlify-cli pulls in via fastify > pino:

└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

This has been addressed in pino v9.12.0 which replaces fast-redact with slow-redact, but while this version is allowed by fastify v4.29.1, the npm-shrinkwrap.json that netlify-cli ships with does not.

Metadata

Metadata

Assignees

No one assigned

    Labels

    security

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions