Gathering detailed insights and metrics for fastify
Gathering detailed insights and metrics for fastify
Fast and low overhead web framework, for Node.js
Installations
npm install fastifyDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
22.10.0
NPM Version
10.9.0
Score
90.4
Supply Chain
99
Quality
94.9
Maintenance
100
Vulnerability
100
License
Releases
296
Languages
3
JavaScript
TypeScript
Shell
JavaScript (91.36%)
TypeScript (8.59%)
Shell (0.05%)
Developer
Download Statistics
Total Downloads
251,937,186
Last Day
398,415
Last Week
2,559,474
Last Month
10,583,914
Last Year
104,266,432
GitHub Statistics
NOASSERTION License
33,810 Stars
4,404 Commits
2,412 Forks
300 Watchers
17 Branches
782 Contributors
Updated on May 24, 2025
Sponsor this package
Maintainers
5
Package Meta Information
Latest Version
5.3.3
Package Id
fastify@5.3.3
Unpacked Size
2.50 MB
Size
447.87 kB
File Count
349
NPM Version
10.9.0
Node Version
22.10.0
Published on
May 13, 2025
Total Downloads
Cumulative downloads
Total Downloads
251,937,186
Last Day
2.9%
398,415
Compared to previous day
Last Week
2%
2,559,474
Compared to previous week
Last Month
1.9%
10,583,914
Compared to previous month
Last Year
42.5%
104,266,432
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
15
Dev Dependencies
38
@fastify/pre-commit@jsumners/line-reporter@sinclair/typebox@sinonjs/fake-timers@stylistic/eslint-plugin@stylistic/eslint-plugin-js@types/nodeajvajv-errorsajv-formatsajv-i18najv-merge-patchautocannonborpbranch-comparerconcurrentlycross-enveslintfast-json-bodyfastify-pluginfluent-json-schemah2urlhttp-errorsjoijson-schema-to-tsJSONStreammarkdownlint-cli2neostandardnode-forgeproxyquiresimple-getsplit2taptsdtypescriptundicivaryyup
An efficient server implies a lower cost of the infrastructure, better responsiveness under load, and happy users. How can you efficiently handle the resources of your server, knowing that you are serving the highest number of requests possible, without sacrificing security validations and handy development?
Enter Fastify. Fastify is a web framework highly focused on providing the best developer experience with the least overhead and a powerful plugin architecture. It is inspired by Hapi and Express and as far as we know, it is one of the fastest web frameworks in town.
The main branch refers to the Fastify v5 release.
Check out the 4.x branch for v4.
Table of Contents
- Quick start
- Install
- Example
- Core features
- Benchmarks
- Documentation
- Ecosystem
- Support
- Team
- Hosted by
- License
Quick start
Create a folder and make it your current working directory:
1mkdir my-app 2cd my-app
Generate a fastify project with npm init:
1npm init fastify
Install dependencies:
1npm i
To start the app in dev mode:
1npm run dev
For production mode:
1npm start
Under the hood npm init downloads and runs Fastify
Create, which in turn uses the
generate functionality of Fastify CLI.
Install
To install Fastify in an existing project as a dependency:
1npm i fastify
Example
1// Require the framework and instantiate it 2 3// ESM 4import Fastify from 'fastify' 5 6const fastify = Fastify({ 7 logger: true 8}) 9// CommonJs 10const fastify = require('fastify')({ 11 logger: true 12}) 13 14// Declare a route 15fastify.get('/', (request, reply) => { 16 reply.send({ hello: 'world' }) 17}) 18 19// Run the server! 20fastify.listen({ port: 3000 }, (err, address) => { 21 if (err) throw err 22 // Server is now listening on ${address} 23})
With async-await:
1// ESM 2import Fastify from 'fastify' 3 4const fastify = Fastify({ 5 logger: true 6}) 7// CommonJs 8const fastify = require('fastify')({ 9 logger: true 10}) 11 12fastify.get('/', async (request, reply) => { 13 reply.type('application/json').code(200) 14 return { hello: 'world' } 15}) 16 17fastify.listen({ port: 3000 }, (err, address) => { 18 if (err) throw err 19 // Server is now listening on ${address} 20})
Do you want to know more? Head to the Getting Started.
If you learn best by reading code, explore the official demo.
Note
.listenbinds to the local host,localhost, interface by default (127.0.0.1or::1, depending on the operating system configuration). If you are running Fastify in a container (Docker, GCP, etc.), you may need to bind to0.0.0.0. Be careful when listening on all interfaces; it comes with inherent security risks. See the documentation for more information.
Core features
- Highly performant: as far as we know, Fastify is one of the fastest web frameworks in town, depending on the code complexity we can serve up to 76+ thousand requests per second.
- Extensible: Fastify is fully extensible via its hooks, plugins, and decorators.
- Schema-based: even if it is not mandatory we recommend using JSON Schema to validate your routes and serialize your outputs. Internally Fastify compiles the schema in a highly performant function.
- Logging: logs are extremely important but are costly; we chose the best logger to almost remove this cost, Pino!
- Developer friendly: the framework is built to be very expressive and help developers in their daily use without sacrificing performance and security.
Benchmarks
Machine: EX41S-SSD, Intel Core i7, 4Ghz, 64GB RAM, 4C/8T, SSD.
Method:: autocannon -c 100 -d 40 -p 10 localhost:3000 * 2, taking the
second average
| Framework | Version | Router? | Requests/sec |
|---|---|---|---|
| Express | 4.17.3 | ✓ | 14,200 |
| hapi | 20.2.1 | ✓ | 42,284 |
| Restify | 8.6.1 | ✓ | 50,363 |
| Koa | 2.13.0 | ✗ | 54,272 |
| Fastify | 4.0.0 | ✓ | 77,193 |
| - | |||
http.Server | 16.14.2 | ✗ | 74,513 |
These benchmarks taken using https://github.com/fastify/benchmarks. This is a synthetic "hello world" benchmark that aims to evaluate the framework overhead. The overhead that each framework has on your application depends on your application. You should always benchmark if performance matters to you.
Documentation
Getting StartedGuidesServerRoutesEncapsulationLoggingMiddlewareHooksDecoratorsValidation and SerializationFluent SchemaLifecycleReplyRequestErrorsContent Type ParserPluginsTestingBenchmarkingHow to write a good pluginPlugins GuideHTTP2Long Term SupportTypeScript and types supportServerlessRecommendations
Ecosystem
- Core - Core plugins maintained by the Fastify team.
- Community - Community-supported plugins.
- Live Examples - Multirepo with a broad set of real working examples.
- Discord - Join our discord server and chat with the maintainers.
Support
Please visit Fastify help to view prior support issues and to ask new support questions.
Version 3 of Fastify and lower are EOL and will not receive any security or bug fixes.
Fastify's partner, HeroDevs, provides commercial security fixes for all unsupported versions at https://herodevs.com/support/fastify-nes. Fastify's supported version matrix is available in the Long Term Support documentation.
Contributing
Whether reporting bugs, discussing improvements and new ideas, or writing code, we welcome contributions from anyone and everyone. Please read the CONTRIBUTING guidelines before submitting pull requests.
Team
Fastify is the result of the work of a great community. Team members are listed in alphabetical order.
Lead Maintainers:
- Matteo Collina, https://twitter.com/matteocollina, https://www.npmjs.com/~matteo.collina
- Tomas Della Vedova, https://twitter.com/delvedor, https://www.npmjs.com/~delvedor
- KaKa Ng, https://www.npmjs.com/~climba03003
- Manuel Spigolon, https://twitter.com/manueomm, https://www.npmjs.com/~eomm
- James Sumners, https://twitter.com/jsumners79, https://www.npmjs.com/~jsumners
Fastify Core team
- Aras Abbasi, https://www.npmjs.com/~uzlopak
- Harry Brundage, https://twitter.com/harrybrundage, https://www.npmjs.com/~airhorns
- Matteo Collina, https://twitter.com/matteocollina, https://www.npmjs.com/~matteo.collina
- Gürgün Dayıoğlu, https://www.npmjs.com/~gurgunday
- Tomas Della Vedova, https://twitter.com/delvedor, https://www.npmjs.com/~delvedor
- Carlos Fuentes, https://twitter.com/metcoder95, https://www.npmjs.com/~metcoder95
- Vincent Le Goff
- Luciano Mammino, https://twitter.com/loige, https://www.npmjs.com/~lmammino
- KaKa Ng, https://www.npmjs.com/~climba03003
- Luis Orbaiceta, https://twitter.com/luisorbai, https://www.npmjs.com/~luisorbaiceta
- Maksim Sinik, https://twitter.com/maksimsinik, https://www.npmjs.com/~fox1t
- Manuel Spigolon, https://twitter.com/manueomm, https://www.npmjs.com/~eomm
- James Sumners, https://twitter.com/jsumners79, https://www.npmjs.com/~jsumners
Fastify Plugins team
- Harry Brundage, https://twitter.com/harrybrundage, https://www.npmjs.com/~airhorns
- Simone Busoli, https://twitter.com/simonebu, https://www.npmjs.com/~simoneb
- Dan Castillo, https://www.npmjs.com/~dancastillo
- Matteo Collina, https://twitter.com/matteocollina, https://www.npmjs.com/~matteo.collina
- Gürgün Dayıoğlu, https://www.npmjs.com/~gurgunday
- Tomas Della Vedova, https://twitter.com/delvedor, https://www.npmjs.com/~delvedor
- Carlos Fuentes, https://twitter.com/metcoder95, https://www.npmjs.com/~metcoder95
- Vincent Le Goff
- Jean Michelet, https://www.npmjs.com/~jean-michelet
- KaKa Ng, https://www.npmjs.com/~climba03003
- Maksim Sinik, https://twitter.com/maksimsinik, https://www.npmjs.com/~fox1t
- Frazer Smith, https://www.npmjs.com/~fdawgs
- Manuel Spigolon, https://twitter.com/manueomm, https://www.npmjs.com/~eomm
Emeritus Contributors
Great contributors to a specific area of the Fastify ecosystem will be invited to join this group by Lead Maintainers when they decide to step down from the active contributor's group.
- Tommaso Allevi, https://twitter.com/allevitommaso, https://www.npmjs.com/~allevo
- Ethan Arrowood, https://twitter.com/arrowoodtech, https://www.npmjs.com/~ethan_arrowood
- Çağatay Çalı, https://twitter.com/cagataycali, https://www.npmjs.com/~cagataycali
- David Mark Clements, https://twitter.com/davidmarkclem, https://www.npmjs.com/~davidmarkclements
- dalisoft, https://twitter.com/dalisoft, https://www.npmjs.com/~dalisoft
- Dustin Deus, https://twitter.com/dustindeus, https://www.npmjs.com/~starptech
- Denis Fäcke, https://twitter.com/serayaeryn, https://www.npmjs.com/~serayaeryn
- Rafael Gonzaga, https://twitter.com/_rafaelgss, https://www.npmjs.com/~rafaelgss
- Trivikram Kamat, https://twitter.com/trivikram, https://www.npmjs.com/~trivikr
- Ayoub El Khattabi, https://twitter.com/ayoubelkh, https://www.npmjs.com/~ayoubelk
- Cemre Mengu, https://twitter.com/cemremengu, https://www.npmjs.com/~cemremengu
- Salman Mitha, https://www.npmjs.com/~salmanm
- Nathan Woltman, https://twitter.com/NathanWoltman, https://www.npmjs.com/~nwoltman
Hosted by
We are an At-Large Project in the OpenJS Foundation.
Sponsors
Support this project by becoming a SPONSOR! Fastify has an Open Collective page where we accept and manage financial contributions.
Acknowledgments
This project is kindly sponsored by:
Past Sponsors:
This list includes all companies that support one or more team members in maintaining this project.
License
Licensed under MIT.
For your convenience, here is a list of all the licenses of our production dependencies:
- MIT
- ISC
- BSD-3-Clause
- BSD-2-Clause
High
7.5/10
Summary
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
Affected Versions
= 4.9.0
Patched Versions
4.9.1
High
7.5/10
Summary
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
Affected Versions
>= 5.0.0, <= 5.3.1
Patched Versions
5.3.2
High
7.5/10
Summary
fastify vulnerable to denial of service via malicious Content-Type
Affected Versions
>= 4.0.0, < 4.8.1
Patched Versions
4.8.1
High
7.5/10
Summary
Denial of Service vulnerability with large JSON payloads in fastify
Affected Versions
<= 0.37.0
Patched Versions
0.38.0
Moderate
4.2/10
Summary
Fastify: Incorrect Content-Type parsing can lead to CSRF attack
Affected Versions
>= 3.0.0, < 3.29.4
Patched Versions
3.29.4
Moderate
4.2/10
Summary
Fastify: Incorrect Content-Type parsing can lead to CSRF attack
Affected Versions
>= 4.0.0, < 4.10.2
Patched Versions
4.10.2
Moderate
0/10
Summary
Denial of service in fastify
Affected Versions
< 2.15.1
Patched Versions
2.15.1
Reason
30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/backport.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/benchmark-parser.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/benchmark.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci-alternative-runtime.yml:30
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci-alternative-runtime.yml:61
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci-alternative-runtime.yml:89
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:120
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:110
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:153
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:183
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:213
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ci.yml:252
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:37
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:51
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:77
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:103
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/citgm-package.yml:49
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/citgm.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/coverage-nix.yml:13
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/coverage-win.yml:13
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/integration-alternative-runtimes.yml:24
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/integration.yml:24
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:10
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/links-check.yml:16
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/lint-ecosystem-order.yml:18
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/md-lint.yml:23
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/missing_types.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/package-manager-ci.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/package-manager-ci.yml:51
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/pull-request-title.yml:13
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-compare.yml:14
- Info: topLevel 'contents' permission set to 'read': .github/workflows/backport.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/benchmark-parser.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/benchmark.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci-alternative-runtime.yml:23
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:29
- Info: topLevel 'contents' permission set to 'read': .github/workflows/citgm-package.yml:42
- Info: topLevel 'contents' permission set to 'read': .github/workflows/citgm.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/coverage-nix.yml:7
- Info: topLevel 'contents' permission set to 'read': .github/workflows/coverage-win.yml:7
- Info: topLevel 'contents' permission set to 'read': .github/workflows/integration-alternative-runtimes.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/integration.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:5
- Info: topLevel 'contents' permission set to 'read': .github/workflows/links-check.yml:10
- Info: topLevel 'contents' permission set to 'read': .github/workflows/lint-ecosystem-order.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/lock-threads.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/md-lint.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/missing_types.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/package-manager-ci.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/pull-request-title.yml:7
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test-compare.yml:7
- Info: topLevel 'contents' permission set to 'read': .github/workflows/website.yml:15
Reason
0 existing vulnerabilities detected
Reason
project is fuzzed
Details
- Info: OSSFuzz integration found
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
Found 26/28 approved changesets -- score normalized to 9
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
badge detected: Passing
Reason
SAST tool is not run on all commits -- score normalized to 1
Details
- Warn: 5 commits out of 28 are checked with a SAST tool
Reason
dangerous workflow patterns detected
Details
- Warn: untrusted code checkout '${{github.event.pull_request.head.sha}}': .github/workflows/benchmark-parser.yml:25
- Warn: untrusted code checkout '${{github.event.pull_request.head.sha}}': .github/workflows/benchmark.yml:25
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/backport.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/backport.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-parser.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark-parser.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-parser.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark-parser.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-parser.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark-parser.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark-parser.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark-parser.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-alternative-runtime.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci-alternative-runtime.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-alternative-runtime.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci-alternative-runtime.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-alternative-runtime.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci-alternative-runtime.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-alternative-runtime.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci-alternative-runtime.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-alternative-runtime.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci-alternative-runtime.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-alternative-runtime.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci-alternative-runtime.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:254: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:215: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:219: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/citgm-package.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/citgm-package.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/citgm-package.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/citgm-package.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/citgm-package.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/citgm-package.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/citgm-package.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/citgm-package.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/citgm.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/citgm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-nix.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/coverage-nix.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-nix.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/coverage-nix.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-win.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/coverage-win.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-win.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/coverage-win.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-alternative-runtimes.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/integration-alternative-runtimes.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-alternative-runtimes.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/integration-alternative-runtimes.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-alternative-runtimes.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/integration-alternative-runtimes.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/integration.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labeler.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/labeler.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/links-check.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/links-check.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint-ecosystem-order.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/lint-ecosystem-order.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint-ecosystem-order.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/lint-ecosystem-order.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/md-lint.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/md-lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/md-lint.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/md-lint.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/missing_types.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/missing_types.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-manager-ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/package-manager-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-manager-ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/package-manager-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/package-manager-ci.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/package-manager-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-manager-ci.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/package-manager-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-manager-ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/package-manager-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull-request-title.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/pull-request-title.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-compare.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/fastify/test-compare.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark-parser.yml:38
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark-parser.yml:57
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark.yml:38
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark.yml:57
- Warn: npmCommand not pinned by hash: .github/workflows/ci-alternative-runtime.yml:52
- Warn: npmCommand not pinned by hash: .github/workflows/ci-alternative-runtime.yml:75
- Warn: npmCommand not pinned by hash: .github/workflows/ci-alternative-runtime.yml:99
- Warn: npmCommand not pinned by hash: .github/workflows/ci-alternative-runtime.yml:102
- Warn: npmCommand not pinned by hash: .github/workflows/ci-alternative-runtime.yml:108
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:170
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:93
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:199
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:227
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:230
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:236
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:67
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:142
- Warn: npmCommand not pinned by hash: .github/workflows/citgm-package.yml:66
- Warn: npmCommand not pinned by hash: .github/workflows/citgm-package.yml:90
- Warn: npmCommand not pinned by hash: .github/workflows/coverage-nix.yml:28
- Warn: npmCommand not pinned by hash: .github/workflows/md-lint.yml:39
- Warn: downloadThenRun not pinned by hash: .github/workflows/package-manager-ci.yml:72
- Info: 0 out of 44 GitHub-owned GitHubAction dependencies pinned
- Info: 3 out of 19 third-party GitHubAction dependencies pinned
- Info: 0 out of 21 npmCommand dependencies pinned
- Info: 0 out of 1 downloadThenRun dependencies pinned
Score
6.9
/10
Last Scanned on 2025-05-19
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More