There is currently no verson of fastify/jwt 8.x version without vulns. Let me help fix it!

[JohnAllenTech]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Hi 👋,

I am currently using @fastify/jwt@8.x alongside Fastify v4 in our production services. A medium-severity vulnerability was reported by Snyk in a transitive dependency — fast-jwt — which affects our setup. The vulnerability is resolved in fast-jwt@5.0.6.

Unfortunately, @fastify/jwt@8.x uses an older version of fast-jwt, and upgrading to @fastify/jwt@9.x is not an immediate option right now, as it requires Fastify v5, which is ESM-only and introduces additional migration complexity.

Request:
Would you be open to releasing a patch version of @fastify/jwt@8.x that bumps the fast-jwt dependency to a version ≥5.0.6 (if it's backward compatible)? I’d be happy to submit a PR and test the update if needed.

Heres a list to the underlying vuln

https://nvd.nist.gov/vuln/detail/CVE-2025-30144
GHSA-gm45-q3v2-6cf8

Thanks for maintaining such a great project! 🙏

[jsumners]

Fastify v5 is not ESM only.

[jsumners]

v5 of fast-jwt drops support for Node v18, but version 8.x of this module continues to support Node v18. I'd recommend providing a patch to fast-jwt that fixes their v4 branch.