Skip to content

chore(deps-dev): bump @nestjs/core from 11.1.6 to 11.1.18#31

Open
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/nestjs/core-11.1.18
Open

chore(deps-dev): bump @nestjs/core from 11.1.6 to 11.1.18#31
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/nestjs/core-11.1.18

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 6, 2026

Bumps @nestjs/core from 11.1.6 to 11.1.18.

Release notes

Sourced from @​nestjs/core's releases.

v11.1.18 (2026-04-03)

Bug fixes

Dependencies

Committers: 6

v11.1.17 (2026-03-16)

Enhancements

Bugs

Dependencies

Committers: 3

... (truncated)

Commits
  • 3c1cc5f chore(release): publish v11.1.18 release
  • 0f962c7 fix(core): sanitize sse message
  • 94aa424 Merge pull request #16679 from nestjs/renovate/path-to-regexp-8.x
  • 368691c fix(core): prevent injector hang when design:paramtypes is missing
  • 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
  • 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
  • f7d4460 Merge pull request #16637 from JakobStaudinger/moduleref-create-transient-sco...
  • d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
  • 4677434 feat(core): export IEntryNestModule type
  • 7493b94 fix(core): dependency injection edge case with moduleref.create
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps-dev): bump @nestjs/core from 11.1.6 to 11.1.18
4c3192d 
Bumps [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core) from 11.1.6 to 11.1.18.
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.18/packages/core)

---
updated-dependencies:
- dependency-name: "@nestjs/core"
  dependency-version: 11.1.18
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 6, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 6, 2026

⚠️ No Changeset found

Latest commit: 4c3192d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 6, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedhandlebars@​4.7.8992510089100
Updatedeslint@​8.55.0 ⏵ 8.52.089 +110010050100
Added@​firebase/​app-types@​0.9.3731006899100
Added@​vitest/​coverage-v8@​0.34.6991006898100
Updated@​typescript-eslint/​parser@​6.13.2 ⏵ 6.9.11001007098100
Updatedeslint-config-prettier@​9.1.0 ⏵ 9.0.01001007288100
Added@​types/​randomstring@​1.1.111001007276100
Added@​commitlint/​cli@​18.2.0991007497100
Addedcz-conventional-changelog@​3.3.0991008975100
Addedsolapi@​5.3.0851008478100
Addedvitest@​0.34.6961007898100
Addedhusky@​8.0.31001007980100
Updated@​typescript-eslint/​eslint-plugin@​6.13.2 ⏵ 6.9.1991007998100
Addedrandomstring@​1.3.11001009980100
Updated@​types/​node@​20.10.4 ⏵ 22.10.71001008196100
Addedtsup@​6.7.0961009483100
Added@​google-cloud/​storage@​6.12.09310010084100
Addedcommitizen@​4.3.09910010085100
Addedturbo@​2.5.81001008697100
Addedsyncpack@​11.2.1991009287100
Addedmixpanel@​0.18.19910010087100
Updatedtypescript@​5.3.2 ⏵ 5.9.31001009010090
Updatedprettier@​3.1.0 ⏵ 3.0.39110097 +190100
Addedfirebase-admin@​13.5.0961009991100
Addedgoogle-auth-library@​10.4.09110010093100
Added@​swc/​core@​1.3.99921009896100
Updated@​nestjs/​core@​10.2.10 ⏵ 11.1.1893 +1100 +210096100
Addedlint-staged@​14.0.19910010095100
Added@​changesets/​cli@​2.26.29510010097100
Addedgoogleapis@​161.0.010010010096100
Updated@​nestjs/​common@​10.2.10 ⏵ 11.1.6100100 +210096 +1100
Added@​commitlint/​config-conventional@​18.1.010010010096100
Addedopenai@​6.1.0100100100100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 6, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL)

Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4

Patched version: 4.5.4

From: pnpm-lock.yamlnpm/@google-cloud/storage@6.12.0npm/fast-xml-parser@4.3.2

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL)

Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4

Patched version: 4.5.4

From: pnpm-lock.yamlnpm/fast-xml-parser@4.5.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion

CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL)

Affected versions: >= 4.0.0 < 4.7.9

Patched version: 4.7.9

From: packages/nestjs-solapi/package.jsonnpm/handlebars@4.7.8

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm vite is 92.0% likely obfuscated

Confidence: 0.92

Location: Package overview

From: pnpm-lock.yamlnpm/vitest@0.34.6npm/vite@5.0.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@5.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants