chore(deps)!: update vulnerable dependencies — NestJS 11 upgrade (71 → 0 advisories)#84
Merged
Merged
Conversation
Resolves 18 advisories (71 -> 53 remaining) entirely within existing semver ranges, with no package.json changes. Notably fixes the critical fast-xml-parser RCE plus high-severity axios, typeorm (SQL injection), validator, form-data, serialize-javascript, and ws advisories. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Upgrades the full NestJS ecosystem v10 -> v11 (core/common/platform-*/swagger/ typeorm/config/schedule/event-emitter/passport/cli/testing), which brings in Express 5, and resolves the remaining 53 advisories (npm audit now reports 0). - nodemailer 7 -> 9 - multer pinned to ^2.2.0 via overrides (fixes upload DoS; platform-express 11 still ships the vulnerable 2.1.1) - js-yaml 4 -> 5 (direct dep + override) to clear the merge-key DoS everywhere - prettier 2 -> 3 and eslint-plugin-prettier 4 -> 5 (required by Nest 11 schematics' peer dependency); reflowed 4 files, no logic changes - @types/express 4 -> 5, @types/nodemailer 7 -> 8, rxjs floor -> ^7.8.1 Code change: createParamDecorator dropped its middle generic in Nest 11 (<TData, TInput, TOutput> -> <TData, TOutput>). Verified: tsc, build, eslint, unit tests + coverage, npm ci, and a full app boot (all modules initialise; only the local DB connection is absent). BREAKING CHANGE: Express 5 underlies @nestjs/platform-express 11. All routes use named :params and the catch-all middleware was confirmed compatible, but a boot/e2e against real infra is recommended before deploying. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Vayras
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 71
npm auditadvisories (1 critical, 22 high, 43 moderate, 5 low) → 0 remaining. Split into two commits so the safe non-breaking patches can be reviewed independently of the framework major.Phase 1 — non-breaking patches (
425c049)Lockfile-only (
npm audit fix), 71 → 53, nopackage.jsonchanges. Fixes the criticalfast-xml-parserRCE plus high-severityaxios,typeorm(SQL injection),validator,form-data,serialize-javascript, andws— all within existing semver ranges (~250 transitive bumps).Phase 2 — NestJS 11 + leaf overrides (
c151ec1)53 → 0. Every remaining advisory traced either to the first-party
@nestjs/*packages or to two leaf dependencies (multer,js-yaml).@nestjs/*— core, common, platform-*, swagger, typeorm, config, schedule, event-emitter, passport, cli, testingnodemailermulter(viaoverrides)FileInterceptoris used);platform-express@11still ships 2.1.1js-yaml(dep +overrides)prettier/eslint-plugin-prettier@types/express4→5,@types/nodemailer7→8,rxjsfloor → ^7.8.1Only application code change:
createParamDecoratordropped its middle generic in Nest 11 —<string, ExecutionContext, User>→<string, User>.@nestjs/platform-express@11runs on Express 5. All controller routes use named:params, and the catch-all logger middleware (forRoutes('*')) was confirmed compatible (Nest normalises it). A full app boot initialises every module cleanly — only the local DB connection is absent. A boot/e2e against real Postgres + Redis is recommended before deploying, particularly the multer upload endpoints (FellowshipApplications,Fellowships) and the SMTP path.🤖 Generated with Claude Code