Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
@fastify/flash
Advanced tools
@fastify/flash
The flash is a special area of the session used for storing messages. Messages are written to the flash and cleared after being displayed to the user. The flash is typically used in combination with redirects, ensuring that the message is available to the next page that is to be rendered.
This plugin is inspired by connect-flash.
Install
npm i @fastify/flash
Usage
Flash messages are stored in the session. First, we need to register the session plugin: @fastify/secure-session.
const fastify = require('fastify')()
const fastifySession = require('@fastify/secure-session')
const fastifyFlash = require('@fastify/flash')
fastify.register(fastifySession, {
// adapt this to point to the directory where secret-key is located
key: fs.readFileSync(path.join(__dirname, 'secret-key')),
cookie: {
// options from setCookie, see https://github.com/fastify/fastify-cookie
}
})
fastify.register(fastifyFlash)
fastify.get('/test', (req, reply) => {
req.flash('warning', ['username required', 'password required'])
const warning = reply.flash('warning')
reply.send({ warning }) // {"warning":["username required","password required"]}
})
Note on session plugin
@fastify/secure-session can be replaced by any session plugin as long as it:
- registers via the onRequest hook
- supports req.session as the session store
API
Set flash messages
Signature
req.flash(type: string, ...message: string[] | [string[]]): number
It can be called in three different ways:
req.flash('info', 'Welcome back')req.flash('warning', ['username required', 'password required'])req.flash('info', 'Hello %s', 'Jared') // will use util.format to format the string
req.flash returns the number of messages stored with the provided type.
Get flash messages
signature
reply.flash(type?: string): { [k: string]: undefined | string[] } | string[]
It can be called in two different ways:
reply.flash() // returns all messages as object { [k: string]: undefined | string[] }reply.flash('info') // returns an array of messages that are stored with the provided type
License
Licensed under MIT.
FAQs
Flash message plugin for fastify.
The npm package @fastify/flash receives a total of 15,101 weekly downloads. As such, @fastify/flash popularity was classified as popular.
We found that @fastify/flash demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 19 open source maintainers collaborating on the project.
Package last updated on 10 Jan 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025