Skip to content

chore(deps)!: update vulnerable dependencies — NestJS 11 upgrade (71 → 0 advisories)#84

Merged
theanmolsharma merged 2 commits into
mainfrom
chore/update-vulnerable-deps
Jun 22, 2026
Merged

chore(deps)!: update vulnerable dependencies — NestJS 11 upgrade (71 → 0 advisories)#84
theanmolsharma merged 2 commits into
mainfrom
chore/update-vulnerable-deps

Conversation

@theanmolsharma

Copy link
Copy Markdown
Collaborator

Summary

Resolves all 71 npm audit advisories (1 critical, 22 high, 43 moderate, 5 low) → 0 remaining. Split into two commits so the safe non-breaking patches can be reviewed independently of the framework major.

Phase 1 — non-breaking patches (425c049)

Lockfile-only (npm audit fix), 71 → 53, no package.json changes. Fixes the critical fast-xml-parser RCE plus high-severity axios, typeorm (SQL injection), validator, form-data, serialize-javascript, and ws — all within existing semver ranges (~250 transitive bumps).

Phase 2 — NestJS 11 + leaf overrides (c151ec1)

53 → 0. Every remaining advisory traced either to the first-party @nestjs/* packages or to two leaf dependencies (multer, js-yaml).

Change From → To Why
@nestjs/* — core, common, platform-*, swagger, typeorm, config, schedule, event-emitter, passport, cli, testing 10 → 11.1.27 (+ 4/6/11 majors) first-party advisories; pulls in Express 5
nodemailer 7 → 9 high-severity advisory
multer (via overrides) 2.1.1 → 2.2.0 upload DoS — genuinely exploitable here (FileInterceptor is used); platform-express@11 still ships 2.1.1
js-yaml (dep + overrides) 4 → 5 merge-key quadratic-DoS
prettier / eslint-plugin-prettier 2→3 / 4→5 required by Nest 11 schematics' peer dep; reflowed 4 files, no logic change
@types/express 4→5, @types/nodemailer 7→8, rxjs floor → ^7.8.1 peer alignment

Only application code change: createParamDecorator dropped its middle generic in Nest 11 — <string, ExecutionContext, User><string, User>.

⚠️ Breaking change — Express 5

@nestjs/platform-express@11 runs on Express 5. All controller routes use named :params, and the catch-all logger middleware (forRoutes('*')) was confirmed compatible (Nest normalises it). A full app boot initialises every module cleanly — only the local DB connection is absent. A boot/e2e against real Postgres + Redis is recommended before deploying, particularly the multer upload endpoints (FellowshipApplications, Fellowships) and the SMTP path.

🤖 Generated with Claude Code

theanmolsharma and others added 2 commits June 22, 2026 12:12
Resolves 18 advisories (71 -> 53 remaining) entirely within existing semver
ranges, with no package.json changes. Notably fixes the critical
fast-xml-parser RCE plus high-severity axios, typeorm (SQL injection),
validator, form-data, serialize-javascript, and ws advisories.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Upgrades the full NestJS ecosystem v10 -> v11 (core/common/platform-*/swagger/
typeorm/config/schedule/event-emitter/passport/cli/testing), which brings in
Express 5, and resolves the remaining 53 advisories (npm audit now reports 0).

- nodemailer 7 -> 9
- multer pinned to ^2.2.0 via overrides (fixes upload DoS; platform-express 11
  still ships the vulnerable 2.1.1)
- js-yaml 4 -> 5 (direct dep + override) to clear the merge-key DoS everywhere
- prettier 2 -> 3 and eslint-plugin-prettier 4 -> 5 (required by Nest 11
  schematics' peer dependency); reflowed 4 files, no logic changes
- @types/express 4 -> 5, @types/nodemailer 7 -> 8, rxjs floor -> ^7.8.1

Code change: createParamDecorator dropped its middle generic in Nest 11
(<TData, TInput, TOutput> -> <TData, TOutput>).

Verified: tsc, build, eslint, unit tests + coverage, npm ci, and a full app
boot (all modules initialise; only the local DB connection is absent).

BREAKING CHANGE: Express 5 underlies @nestjs/platform-express 11. All routes
use named :params and the catch-all middleware was confirmed compatible, but a
boot/e2e against real infra is recommended before deploying.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Vayras Vayras self-requested a review June 22, 2026 07:20
@theanmolsharma theanmolsharma merged commit c151ec1 into main Jun 22, 2026
2 checks passed
@theanmolsharma theanmolsharma deleted the chore/update-vulnerable-deps branch June 22, 2026 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants