chore(deps): bump web/backend to fastify 5 + matching plugin majors#345
Conversation
Dependabot PR #342 bumped fastify 4->5 (and fast-uri 2->3) but left @fastify/cors at ^9 and @fastify/static at ^7 -- both built for fastify 4. fastify-plugin enforces the version at registration, so the BFF would throw at startup: 'fastify-plugin: @fastify/cors - expected 4.x fastify version, 5.8.5 is installed'. No CI job builds or runs web/backend, so the breakage is invisible to CI -- it would only surface when a user runs kbagent serve's Node BFF. Bump the plugins in lock-step to their fastify-5 majors: @fastify/cors ^9 -> ^11 @fastify/static ^7 -> ^9 Verified locally end-to-end: npm ci clean, npm run build (tsc) clean with fastify 5 types, BFF boots and registers both plugins, /__bff/health + /__bff/info OK, live /api proxy to kbagent serve returns 34 projects, CORS preflight returns 204 with the right ACAO header, and @fastify/static serves the SPA + assets + SPA-fallback route. Supersedes #342.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "fastify": "^4.28.1", | ||
| "@fastify/cors": "^11.0.0", | ||
| "@fastify/static": "^9.0.0", | ||
| "fastify": "^5.8.5", |
There was a problem hiding this comment.
🔴 Unnamed wildcard route "/api/*" is incompatible with Fastify v5's find-my-way v9 router
The PR bumps fastify from v4 to v5 (web/backend/package.json:17), which ships with find-my-way v9 (lock file resolves to 9.6.0). In find-my-way v9, unnamed wildcard * is no longer valid — wildcards must be named (e.g., "/api/*path"). The existing route at web/backend/src/proxy.ts:58 uses the old "/api/*" syntax, which will cause an error at route registration (server startup). The source code was not updated alongside this major version bump.
Prompt for agents
The upgrade from Fastify v4 to v5 introduces a breaking change in the router (find-my-way v9): unnamed wildcard routes are no longer supported. The route in web/backend/src/proxy.ts:58 uses app.all("/api/*", ...) which needs to be updated to use a named wildcard, e.g. app.all("/api/*path", ...). Additionally, check for other Fastify v5 breaking changes that may affect server.ts and proxy.ts — in particular the @fastify/static v9 API (the wildcard: false option at server.ts:50 may have been removed or renamed), and verify that direct reply.raw.writeHead() usage in proxy.ts:42 is still supported with Fastify v5's response lifecycle.
Was this helpful? React with 👍 or 👎 to provide feedback.
| "@fastify/static": "^7.0.4", | ||
| "fastify": "^4.28.1", | ||
| "@fastify/cors": "^11.0.0", | ||
| "@fastify/static": "^9.0.0", |
There was a problem hiding this comment.
🚩 @fastify/static v9 'wildcard' option may be removed or renamed
At web/backend/src/server.ts:50, the code passes wildcard: false to @fastify/static. This option controlled whether the plugin registers a wildcard route for serving files. With the jump from @fastify/static v7 to v9 (two major versions), this option may have been removed, renamed, or its behavior changed. If removed, Fastify v5 may silently ignore it or throw — either way the SPA file-serving behavior could change. This should be verified against the @fastify/static v9 migration guide or changelog.
Was this helpful? React with 👍 or 👎 to provide feedback.
| "fastify": "^4.28.1", | ||
| "@fastify/cors": "^11.0.0", | ||
| "@fastify/static": "^9.0.0", | ||
| "fastify": "^5.8.5", |
There was a problem hiding this comment.
🚩 Direct reply.raw.writeHead() usage may conflict with Fastify v5 response lifecycle
In web/backend/src/proxy.ts:42, the SSE streaming function calls reply.raw.writeHead(200, {...}) directly, bypassing Fastify's response abstraction. Fastify v5 made changes to response lifecycle tracking — using reply.raw directly can conflict with Fastify's internal state, potentially causing 'Reply already sent' warnings or errors. The streamSSE function at proxy.ts:38-52 should be reviewed to ensure it's compatible with Fastify v5's stricter response handling. Consider using reply.hijack() before writing to reply.raw to signal Fastify that the response is being handled manually.
Was this helpful? React with 👍 or 👎 to provide feedback.
| "@fastify/cors": "^11.0.0", | ||
| "@fastify/static": "^9.0.0", | ||
| "fastify": "^5.8.5", |
There was a problem hiding this comment.
🚩 Three simultaneous major version bumps with no code changes
This PR bumps three packages across major versions (fastify 4→5, @fastify/cors 9→11, @fastify/static 7→9) but includes zero source code changes. Major version bumps indicate breaking API changes by semver convention. The lock file confirms these are real upgrades (e.g., fastify resolved to 5.8.5, find-my-way to 9.6.0). At minimum, the PR should include evidence that the code was tested against the new versions (e.g., test output, manual verification notes), or the source should be updated to use the new APIs. Without either, this PR risks shipping a broken backend.
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
What
Consolidated
web/backend(Node BFF) dependency bump that supersedes Dependabot PR #342.fastify@fastify/cors@fastify/static(
fast-uri2→3 comes in transitively via fastify 5.)Why
#342 bumped
fastifyto 5 but left@fastify/cors@^9and@fastify/static@^7— both built for fastify 4.fastify-pluginenforces the accepted fastify range at registration, so the BFF throws at startup:server.tsregisters both plugins on boot, so #342 as-is would breakkbagent serve's Node BFF. No CI job builds or runsweb/backend(the wheel-build job only buildsweb/frontend;checkis Python), so green CI on #342 does not validate the backend — same partial-bump trap as #337/#338.Verification (local, end-to-end against a live project)
npm ciclean;npm run build(tsc) clean with fastify 5 types/__bff/health→{"status":"ok"},/__bff/info→kbagent.ready:true/api/projectsproxied BFF →kbagent serve→ Keboola → 34 projects (proxy.tsreply.rawstreaming works on v5)204withaccess-control-allow-origin: http://localhost:5173(@fastify/cors@11)@fastify/static@9:GET /servesindex.html,/assets/*.jsserved, SPA-fallback route →200Closes #342