Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement →
@fastify/cors
Advanced tools
@fastify/cors - npm Package Compare versions
@@ -17,2 +17,7 @@ name: CI | ||
| # This allows a subsequently queued workflow run to interrupt previous runs | ||
| concurrency: | ||
| group: "${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" | ||
| cancel-in-progress: true | ||
| permissions: | ||
@@ -19,0 +24,0 @@ contents: read |
+3
-1
@@ -159,3 +159,5 @@ 'use strict' | ||
| function addCorsHeadersHandler (fastify, options, req, reply, next) { | ||
| function addCorsHeadersHandler (fastify, globalOptions, req, reply, next) { | ||
| const options = { ...globalOptions, ...req.routeOptions.config?.cors } | ||
| if ((typeof options.origin !== 'string' && options.origin !== false) || options.dynamic) { | ||
@@ -162,0 +164,0 @@ // Always set Vary header for non-static origin option |
+4
-9
| { | ||
| "name": "@fastify/cors", | ||
| "version": "11.1.0", | ||
| "version": "11.2.0", | ||
| "description": "Fastify CORS", | ||
@@ -62,3 +62,2 @@ "main": "index.js", | ||
| "devDependencies": { | ||
| "@fastify/pre-commit": "^2.1.0", | ||
| "@types/node": "^24.0.8", | ||
@@ -70,4 +69,4 @@ "c8": "^10.1.2", | ||
| "neostandard": "^0.12.0", | ||
| "tsd": "^0.32.0", | ||
| "typescript": "~5.8.2" | ||
| "tsd": "^0.33.0", | ||
| "typescript": "~5.9.2" | ||
| }, | ||
@@ -83,7 +82,3 @@ "dependencies": { | ||
| "access": "public" | ||
| }, | ||
| "pre-commit": [ | ||
| "lint", | ||
| "test" | ||
| ] | ||
| } | ||
| } |
+20
-6
@@ -119,5 +119,5 @@ # @fastify/cors | ||
| ### Disabling CORS for a specific route | ||
| ### Route-Level CORS Overrides | ||
| CORS can be disabled at the route level by setting the `cors` option to `false`. | ||
| It is possible to override the CORS plugin options provided during registration on a per-route basis using the `config.cors` option. | ||
@@ -127,9 +127,23 @@ ```js | ||
| fastify.register(require('@fastify/cors'), { origin: '*' }) | ||
| fastify.register(require('@fastify/cors'), { origin: 'https://example.com' }) | ||
| fastify.get('/cors-enabled', (_req, reply) => { | ||
| reply.send('CORS headers') | ||
| reply.send('CORS headers applied') | ||
| }) | ||
| fastify.get('/cors-disabled', { cors: false }, (_req, reply) => { | ||
| fastify.get('/cors-allow-all', { | ||
| config: { | ||
| cors: { | ||
| origin: '*', // Allow all origins for this route | ||
| }, | ||
| }, | ||
| }, (_req, reply) => { | ||
| reply.send('Custom CORS headers applied') | ||
| }) | ||
| fastify.get('/cors-disabled', { | ||
| config: { | ||
| cors: false, // Disable CORS for this route | ||
| }, | ||
| }, (_req, reply) => { | ||
| reply.send('No CORS headers') | ||
@@ -200,2 +214,2 @@ }) | ||
| Licensed under [MIT](./LICENSE).<br/> | ||
| [`expressjs/cors` license](https://github.com/expressjs/cors/blob/master/LICENSE) | ||
| [`expressjs/cors` license](https://github.com/expressjs/cors/blob/master/LICENSE) |
+72
-0
@@ -1053,1 +1053,73 @@ 'use strict' | ||
| }) | ||
| test('Should support route-level config', async t => { | ||
| t.plan(9) | ||
| const fastify = Fastify() | ||
| fastify.register(cors, { | ||
| origin: 'https://default-example.com' | ||
| }) | ||
| // Route with default CORS (inherits plugin config) | ||
| fastify.get('/cors-enabled', (_req, reply) => { | ||
| reply.send('CORS headers applied') | ||
| }) | ||
| // Route with custom CORS origin | ||
| fastify.get('/cors-allow-all', { | ||
| config: { | ||
| cors: { | ||
| origin: '*' | ||
| } | ||
| } | ||
| }, (_req, reply) => { | ||
| reply.send('Custom CORS headers applied') | ||
| }) | ||
| // Route with CORS disabled | ||
| fastify.get('/cors-disabled', { | ||
| config: { | ||
| cors: false | ||
| } | ||
| }, (_req, reply) => { | ||
| reply.send('No CORS headers') | ||
| }) | ||
| await fastify.ready() | ||
| // Default CORS | ||
| const resDefault = await fastify.inject({ | ||
| method: 'GET', | ||
| url: '/cors-enabled', | ||
| headers: { | ||
| origin: 'https://default-example.com' | ||
| } | ||
| }) | ||
| t.assert.ok(resDefault) | ||
| t.assert.strictEqual(resDefault.statusCode, 200) | ||
| t.assert.strictEqual(resDefault.headers['access-control-allow-origin'], 'https://default-example.com') | ||
| // Custom CORS | ||
| const resCustom = await fastify.inject({ | ||
| method: 'GET', | ||
| url: '/cors-allow-all', | ||
| headers: { | ||
| origin: 'https://example.com' | ||
| } | ||
| }) | ||
| t.assert.ok(resCustom) | ||
| t.assert.strictEqual(resCustom.statusCode, 200) | ||
| t.assert.strictEqual(resCustom.headers['access-control-allow-origin'], '*') | ||
| // CORS disabled | ||
| const resDisabled = await fastify.inject({ | ||
| method: 'GET', | ||
| url: '/cors-disabled', | ||
| headers: { | ||
| origin: 'https://example.com' | ||
| } | ||
| }) | ||
| t.assert.ok(resDisabled) | ||
| t.assert.strictEqual(resDisabled.statusCode, 200) | ||
| t.assert.strictEqual(resDisabled.headers['access-control-allow-origin'], undefined) | ||
| }) |
New alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Fixed alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
120665
1.93%- Dev dependency count
8
-11.11%- Lines of code
3289
1.98%- Number of lines in readme file
213
7.58%Worsened metrics
- Number of medium supply chain risk alerts
1
Infinity%No dependency changes