Fastify

registrynpm

package namefastify

maintainerFastify Contributors

Fastify is a high-performance Node.js web framework focused on low overhead and plugin extensibility. It uses JSON Schema for request validation and serialization and is commonly used in high-throughput microservices. Fastify's plugin architecture means a single compromised plugin affects all routes in the application.

api usage

Checking Fastify

fastify 4.28.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=fastify&version=4.28.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "fastify",
  "version": "4.28.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Web framework packages handle request lifecycle hooks that run for every request. A backdoored version with access to request hooks can intercept all incoming traffic before any application-level authentication or validation.

Attestd monitors fastify using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages Express Helmet Prisma Client Response fields