Bump @fastify/reply-from from 9.7.0 to 12.6.2

[dependabot]

Bumps @fastify/reply-from from 9.7.0 to 12.6.2.

Release notes

Sourced from @​fastify/reply-from's releases.

v12.6.2

⚠️ Security Release

This fixes CVE CVE-2026-33805 GHSA-gwhp-pf74-vj37.

What's Changed

• fix: correct path traversal check to allow '...' in URL path segments by @​q0rban in fastify/fastify-reply-from#461
• build(deps): Bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fastify-reply-from#462
• build(deps-dev): Bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fastify-reply-from#463
• build(deps-dev): Bump proxy from 2.2.0 to 4.0.0 by @​dependabot[bot] in fastify/fastify-reply-from#464
• ci: add lock-threads workflow by @​Fdawgs in fastify/fastify-reply-from#466

New Contributors

• @​q0rban made their first contribution in fastify/fastify-reply-from#461

Full Changelog: fastify/fastify-reply-from@v12.6.1...v12.6.2

v12.6.1

What's Changed

• build(deps-dev): Bump @​sinonjs/fake-timers from 14.0.0 to 15.0.0 by @​dependabot[bot] in fastify/fastify-reply-from#440
• build(deps-dev): Bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in fastify/fastify-reply-from#447
• fix: strip headers listed in Connection header per RFC 7230 Section 6.1 by @​mcollina in fastify/fastify-reply-from#450
• feat: preserve undici agent by default by @​mcollina in fastify/fastify-reply-from#452
• chore: removed unused files by @​Tony133 in fastify/fastify-reply-from#453
• chore(license): standardise license notice by @​Fdawgs in fastify/fastify-reply-from#454
• style: remove trailing whitespace by @​Fdawgs in fastify/fastify-reply-from#455
• build(deps-dev): Bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in fastify/fastify-reply-from#456
• fix: avoid trailing ? when queryString option resolves to empty string by @​fooddilsn in fastify/fastify-reply-from#459

New Contributors

• @​fooddilsn made their first contribution in fastify/fastify-reply-from#459

Full Changelog: fastify/fastify-reply-from@v12.5.0...v12.6.1

v12.5.0

⚠️ Security Release ⚠️

By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @​fastify/reply-from.

Read more at GHSA-2q7r-29rg-6m5h. This is catalogued as CVE-2025-66415.

What's Changed

• Add test for text/event-stream proxying with custom parser by @​mcollina in fastify/fastify-reply-from#438

Full Changelog: fastify/fastify-reply-from@v12.4.0...v12.5.0

v12.4.0

What's Changed

... (truncated)

Commits

• 457ac75 Bumped v12.6.2
• c815dc4 Merge commit from fork
• 1b8a45d ci: add lock-threads workflow (#466)
• a71839c build(deps-dev): Bump proxy from 2.2.0 to 4.0.0 (#464)
• f8aa76f build(deps-dev): Bump neostandard from 0.12.2 to 0.13.0 (#463)
• e697b5e build(deps): Bump fastify/workflows/.github/workflows/plugins-ci.yml (#462)
• 456a7e3 fix: correct path traversal check to allow '...' in URL path segments (#461)
• e61ac4d Bumped v12.6.1
• 4b87813 fix: avoid trailing ? when queryString option resolves to empty string (#459)
• f883886 build(deps-dev): Bump c8 from 10.1.3 to 11.0.0 (#456)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by climba03003, a new releaser for @​fastify/reply-from since your current version.