v3.6.0 7 February 2026 Improvement Fix

Fastify v5 Migration & Request-Scoped Audit Logging

Improved

  • Fastify v5 upgrade — Migrated from Fastify 4.29.1 to 5.7.4 with all plugins updated to v5-compatible versions. Fastify v4 reached end-of-life on 30 June 2025; this resolves 3 outstanding security advisories (Content-Type bypass, sendWebStream DoS, fast-jwt iss validation)
  • Request-scoped audit logging — Audit writes now use the RLS-aware database client inside the request transaction, with organisation_id auto-injected from request context. Replaces the previous instance-scoped decorator that bypassed tenant isolation
  • Route response schemas — Added missing HTTP status codes (400, 404, 409) to route response schemas across auth, registration, accounts, transactions, and email verification routes. Fastify v5 enforces strict type-checking against declared response codes

Fixed

  • Silent audit log failures — Since RLS was enabled in v3.5.0, all tenant audit writes were silently rejected because the audit decorator used a raw pool connection without RLS context. 282 total audit entries preserved; new entries now write correctly with full tenant isolation
  • Plugin version constraints — Updated api-request-logger and rls-transaction plugins from fastify: '4.x' to '5.x' to resolve FST_ERR_PLUGIN_VERSION_MISMATCH startup failures
  • Error handler type safety — Fastify v5 changed error handler signature to unknown. Added type narrowing for Zod, validation, database, and generic error branches

Security

  • Dependency audit — Reduced vulnerabilities from 4 to 1. Remaining 1 is esbuild (moderate, dev-only via vitest/vite, not in production)
  • Audit trail integrity — Tenant audit entries are now part of the same database transaction as the data change. If a transaction rolls back, the audit entry rolls back with it, preventing phantom audit records

Migration notes

  • Zero breaking changes to the SpeyBooks API contract
  • 16 files changed across server core, middleware, and 8 route modules (23 audit call sites migrated)
  • authAudit remains instance-scoped and writes to the global auth_audit_log table (intentionally pre-tenant for security events)

Known

  • esbuild dev server vulnerability (GHSA-67mh-4wv8-2f99) — dev-only dependency via vitest/vite, not present in production. Fix requires vite/vitest bump