chore(deps): update dependency @nestjs/core to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/core (source)	8.4.4 → 9.0.5

---

@​nestjs/core vulnerable to Information Exposure via StreamableFile pipe

CVE-2023-26108 / GHSA-4jpv-8r57-pv7j

More information

Details

Versions of the package @​nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-26108
• https://github.com/nestjs/nest/issues/9759
• https://github.com/nestjs/nest/pull/9819
• https://github.com/nestjs/nest/pull/9819/commits/f59cf5e81ca73bcdf1b5b36713550fd93918db41
• https://security.snyk.io/vuln/SNYK-JS-NESTJSCORE-2869127
• https://github.com/advisories/GHSA-4jpv-8r57-pv7j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nestjs/nest (@​nestjs/core)

v9.0.5

Compare Source

v9.0.5 (2022-07-20)

Bug fixes

• common, platform-express
  • #​9819 fix: use pipeline over stream.pipe (@​jmcdo29)

Enhancements

• microservices
  • #​9798 feat(microservices): add noAssert option for RMQ connection (@​frankmangone)
  • #​9954 feat(microservices): add Kafka heartbeat callback to KafkaContext (@​kosh-b)
• platform-express, platform-fastify
  • #​9926 fix(express,fastify): raw body for urlencoded requests (@​tolgap)

Dependencies

• Other
  • #​9959 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/30-event-emitter (@​dependabot[bot])
  • #​9960 chore(deps): bump terser from 5.14.1 to 5.14.2 in /sample/32-graphql-federation-schema-first/users-application (@​dependabot[bot])
  • #​9961 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/gateway (@​dependabot[bot])
  • #​9962 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/users-application (@​dependabot[bot])
  • #​9963 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/32-graphql-federation-schema-first/posts-application (@​dependabot[bot])
  • #​9964 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/32-graphql-federation-schema-first/gateway (@​dependabot[bot])
  • #​9965 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/29-file-upload (@​dependabot[bot])
  • #​9966 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/28-sse (@​dependabot[bot])
  • #​9967 chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/posts-application (@​dependabot[bot])
  • #​9951 chore(deps-dev): bump mongoose from 6.4.4 to 6.4.5 (@​dependabot[bot])
  • #​9952 chore(deps-dev): bump concurrently from 7.2.2 to 7.3.0 (@​dependabot[bot])
• platform-fastify
  • #​9950 chore(deps): bump light-my-request from 5.1.0 to 5.2.0 (@​dependabot[bot])

Committers: 4

• Franco Mangone (@​frankmangone)
• Jay McDoniel (@​jmcdo29)
• Tolga Paksoy (@​tolgap)
• @​kosh-b

v9.0.4

Compare Source

v9.0.3

Compare Source

v9.0.2

Compare Source

v9.0.2

Bug fixes

• common
  • #​9904 fix(common): Fix CacheModule registerAsync (@​tugascript)

Enhancements

• core
  • #​9902 refactor(core): replace our own 1-level flatten by the native one (@​micalevisk)

Dependencies

• #​9906 chore(deps-dev): bump mongoose from 6.4.3 to 6.4.4 (@​dependabot[bot])
• #​9908 chore(deps-dev): bump cache-manager from 4.0.1 to 4.1.0 (@​dependabot[bot])
• #​9910 chore(deps-dev): bump @​nestjs/graphql from 10.0.16 to 10.0.18 (@​dependabot[bot])
• #​9911 chore(deps-dev): bump core-js from 3.23.3 to 3.23.4 (@​dependabot[bot])

Committers: 3

• Afonso Barracha (@​tugascript)
• Antonio T. alias Tony (@​Tony133)
• Micael Levi L. Cavalcante (@​micalevisk)

v9.0.1

Compare Source

v9.0.0

Compare Source

v9.0.0 (2022-07-08)

Article: https://trilon.io/blog/nestjs-9-is-now-available

Migration guide: https://docs.nestjs.com/migration-guide

Features

• common
  • #​9718 Feature/4752 file validators pipe (@​thiagomini)
  • #​9534 feat(core): add configurable module builder, module utils (@​kamilmysliwiec)
• common, core
  • #​9684 feat(core): read–eval–print loop feature (@​kamilmysliwiec)
  • #​9697 feat(core): add durable providers feature (@​kamilmysliwiec)

Bug fixes

• microservices
  • #​9674 fix(microservices): Fixed typings for MessageHandler (@​dkonasov)
  • #​9587 fix(microservices): revert grpc client interceptors (grpc-specific) (@​kamilmysliwiec)

Enhancements

• common, core, platform-express, platform-fastify
  • #​8802 fix: only send exception responses if header is not already sent (@​wSedlacek)
  • #​9591 feat(common,core): make HttpServer#applyVersionFilter mandatory (@​micalevisk)
• common
  • #​9705 feat(common): Add error chaining support to http exception (@​vinnymac)
  • #​9383 feat(common): disallow usage of inject on class and value providers at type level (@​micalevisk)
  • #​9023 fix: fix factory provider definition (@​ZanMinKian)
  • #​8459 fix(common): ParseUUIDPipe - throw exceptions with exceptionFactory only (@​titivuk)
• microservices
  • #​9681 fix(microservices): allow postfixId on KafkaOptions to be an empty string (@​micalevisk)
  • #​8798 feat(microservices): migrate redis transporter to internally use ioredis package (@​kamilmysliwiec)
  • #​9586 feat(microservices): add kafka retriable exception, auto-unwrap payloads (@​kamilmysliwiec)
• core
  • #​9720 fix(core): prevent renaming global providers and modules in the repl (@​micalevisk)
  • #​9596 feat(core): throw an exception instead of logging due to module import misusage (@​micalevisk)
• common, core, microservices
  • #​9604 refactor(common,core,microservices): drop all deprecated methods (@​micalevisk)
• core, websockets
  • #​9491 feat(core,websockets): use rxjs to check if values are observables (@​micalevisk)

Dependencies

• Other
  • #​9885 chore(deps-dev): bump @​fastify/static from 5.0.0 to 6.4.0 (@​dependabot[bot])
  • #​9883 chore(deps-dev): bump ioredis from 5.0.4 to 5.1.0 (@​dependabot[bot])
  • #​9884 chore(deps-dev): bump nodemon from 2.0.18 to 2.0.19 (@​dependabot[bot])
  • #​9886 chore(deps-dev): bump supertest from 6.2.3 to 6.2.4 (@​dependabot[bot])
  • #​9888 chore(deps-dev): bump @​types/cache-manager from 4.0.0 to 4.0.1 (@​dependabot[bot])
  • #​9889 chore(deps): bump cli-color from 2.0.2 to 2.0.3 (@​dependabot[bot])
  • #​9890 chore(deps-dev): bump @​types/node from 18.0.0 to 18.0.3 (@​dependabot[bot])
  • #​9882 chore(deps-dev): bump @​fastify/multipart from 6.0.0 to 7.1.0 (@​dependabot[bot])
  • #​9869 chore(deps): bump fast-json-stringify from 5.0.1 to 5.0.6 (@​dependabot[bot])
  • #​9851 chore(deps-dev): bump kafkajs from 2.0.2 to 2.1.0 (@​dependabot[bot])
  • #​9848 chore(deps-dev): bump graphql-tools from 8.2.13 to 8.3.0 (@​dependabot[bot])
  • #​9837 chore(deps-dev): bump @​commitlint/config-angular from 17.0.0 to 17.0.3 (@​dependabot[bot])
  • #​9871 chore(deps-dev): bump redis from 3.1.2 to 4.2.0 (@​dependabot[bot])
  • #​9870 chore(deps-dev): bump mongoose from 6.4.0 to 6.4.3 (@​dependabot[bot])
  • #​9852 chore(deps-dev): bump @​types/sinon from 10.0.11 to 10.0.12 (@​dependabot[bot])
  • #​9766 chore(deps): bump middie from 6.1.0 to 7.1.0 (@​dependabot[bot])
  • #​9876 chore(deps): bump moment from 2.29.2 to 2.29.4 in /sample/07-sequelize (@​dependabot[bot])
  • #​9875 chore(deps): bump moment from 2.29.2 to 2.29.4 in /sample/26-queues (@​dependabot[bot])
  • #​9877 chore(deps): bump moment from 2.29.2 to 2.29.4 in /sample/27-scheduling (@​dependabot[bot])
  • #​9878 chore(deps): bump moment from 2.29.2 to 2.29.4 (@​dependabot[bot])
  • #​9838 chore(deps-dev): bump core-js from 3.23.2 to 3.23.3 (@​dependabot[bot])
  • #​9839 chore(deps-dev): bump @​commitlint/cli from 17.0.2 to 17.0.3 (@​dependabot[bot])
  • #​9841 chore(deps-dev): bump lint-staged from 13.0.2 to 13.0.3 (@​dependabot[bot])
  • #​9830 chore(deps-dev): bump nodemon from 2.0.16 to 2.0.18 (@​dependabot[bot])
  • #​9828 chore(deps): bump fast-json-stringify from 4.2.0 to 5.0.1 (@​dependabot[bot])
  • #​9827 chore(deps-dev): bump graphql-tools from 8.2.12 to 8.2.13 (@​dependabot[bot])
  • #​9815 chore(deps-dev): bump core-js from 3.23.1 to 3.23.2 (@​dependabot[bot])
  • #​9796 chore(deps-dev): bump prettier from 2.7.0 to 2.7.1 (@​dependabot[bot])
  • #​9807 chore(deps-dev): bump mongoose from 6.3.8 to 6.4.0 (@​dependabot[bot])
  • #​9808 chore(deps-dev): bump typescript from 4.7.3 to 4.7.4 (@​dependabot[bot])
  • #​9791 chore(deps-dev): bump apollo-server-core from 3.8.2 to 3.9.0 (@​dependabot[bot])
  • #​9790 chore(deps-dev): bump @​nestjs/apollo from 10.0.14 to 10.0.16 (@​dependabot[bot])
  • #​9787 chore(deps-dev): bump apollo-server-express from 3.8.2 to 3.9.0 (@​dependabot[bot])
  • #​9788 chore(deps-dev): bump @​types/node from 17.0.43 to 18.0.0 (@​dependabot[bot])
  • #​9792 chore(deps-dev): bump @​nestjs/graphql from 10.0.15 to 10.0.16 (@​dependabot[bot])
  • #​9794 chore(deps-dev): bump lint-staged from 13.0.1 to 13.0.2 (@​dependabot[bot])
  • #​9779 chore(deps-dev): bump concurrently from 7.2.1 to 7.2.2 (@​dependabot[bot])
  • #​9780 chore(deps-dev): bump @​types/node from 17.0.42 to 17.0.43 (@​dependabot[bot])
  • #​9781 chore(deps-dev): bump core-js from 3.23.0 to 3.23.1 (@​dependabot[bot])
  • #​9782 chore(deps-dev): bump @​nestjs/mongoose from 9.1.0 to 9.1.1 (@​dependabot[bot])
  • #​9772 chore(deps-dev): bump prettier from 2.6.2 to 2.7.0 (@​dependabot[bot])
  • #​9734 chore(deps-dev): bump ts-node from 10.8.0 to 10.8.1 (@​dependabot[bot])
  • #​9761 chore(deps): bump fast-json-stringify from 4.1.0 to 4.2.0 (@​dependabot[bot])
  • #​9771 chore(deps-dev): bump core-js from 3.22.8 to 3.23.0 (@​dependabot[bot])
  • #​9773 chore(deps-dev): bump @​types/cache-manager from 3.4.3 to 4.0.0 (@​dependabot[bot])
  • #​9522 chore(deps-dev): bump mocha from 9.2.2 to 10.0.0 (@​dependabot[bot])
• platform-fastify
  • #​9853 chore(deps): bump fastify from 3.29.0 to 4.2.0 (@​dependabot[bot])
• microservices, testing
  • #​9825 chore(deps): update dependency got to 11.8.5 [security] (@​renovate[bot])
• platform-ws
  • #​9770 chore(deps): bump ws from 8.7.0 to 8.8.0 (@​dependabot[bot])

Committers: 13

• Dylan Lundy (@​diesal11)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Kanstantsin Tatarchuk (@​titivuk)
• Marcin Wojciechowski (@​Wojciechowski-Marcin)
• Micael Levi L. Cavalcante (@​micalevisk)
• Thiago Valentim (@​thiagomini)
• Vincent Taverna (@​vinnymac)
• William Sedlacek (@​wSedlacek)
• @​chunghha
• @​dkonasov
• @​yevgeniypak
• 曾明健 (@​ZanMinKian)
• 정우병 (@​woobottle)

v8.4.7

Compare Source

v8.4.7 (2022-06-14)

Enhancements

• microservices
  • #​9719 feat(microservices): exposes base context on the main package (@​delucca)
  • #​9751 fix(microservices): adds feedback message when RabbitMQ server connection hangs (@​delucca)
• common
  • #​9742 Improve stripProtoKeys performance, especially for TypedArray (@​mjgp2)

Dependencies

• #​9731 chore(deps-dev): bump apollo-server-core from 3.8.1 to 3.8.2 (@​dependabot[bot])
• #​9762 chore(deps-dev): bump lint-staged from 13.0.0 to 13.0.1 (@​dependabot[bot])
• #​9764 chore(deps-dev): bump graphql-tools from 8.2.11 to 8.2.12 (@​dependabot[bot])
• #​9765 chore(deps-dev): bump point-of-view from 6.2.1 to 6.3.0 (@​dependabot[bot])
• #​9769 chore(deps-dev): bump mongoose from 6.3.5 to 6.3.8 (@​dependabot[bot])
• #​9729 chore(deps-dev): bump cache-manager from 4.0.0 to 4.0.1 (@​dependabot[bot])
• #​9730 chore(deps-dev): bump typescript from 4.7.2 to 4.7.3 (@​dependabot[bot])
• #​9732 chore(deps-dev): bump apollo-server-express from 3.8.1 to 3.8.2 (@​dependabot[bot])
• #​9735 chore(deps-dev): bump ts-morph from 15.0.0 to 15.1.0 (@​dependabot[bot])
• #​9740 chore(deps-dev): bump @​grpc/proto-loader from 0.6.12 to 0.6.13 (@​dependabot[bot])
• #​9756 chore(deps-dev): bump @​types/node from 17.0.38 to 17.0.42 (@​dependabot[bot])
• #​9757 chore(deps): bump fast-json-stringify from 3.2.0 to 4.1.0 (@​dependabot[bot])
• #​9711 chore(deps-dev): bump @​nestjs/apollo from 10.0.13 to 10.0.14 (@​dependabot[bot])
• #​9712 chore(deps-dev): bump lint-staged from 12.5.0 to 13.0.0 (@​dependabot[bot])
• #​9710 chore(deps-dev): bump cache-manager from 3.6.3 to 4.0.0 (@​dependabot[bot])
• #​9709 chore(deps-dev): bump @​commitlint/cli from 17.0.1 to 17.0.2 (@​dependabot[bot])
• #​9713 chore(deps-dev): bump core-js from 3.22.7 to 3.22.8 (@​dependabot[bot])
• #​9723 chore(deps-dev): bump @​nestjs/graphql from 10.0.13 to 10.0.15 (@​dependabot[bot])
• #​9722 chore(deps): bump protobufjs from 6.11.2 to 6.11.3 (@​dependabot[bot])
• #​9721 chore(deps): bump protobufjs from 6.11.2 to 6.11.3 in /sample/04-grpc (@​dependabot[bot])
• #​9724 chore(deps-dev): bump amqplib from 0.9.1 to 0.10.0 (@​dependabot[bot])
• #​9700 chore(deps-dev): bump kafkajs from 2.0.1 to 2.0.2 (@​dependabot[bot])
• #​9701 chore(deps-dev): bump @​types/node from 17.0.36 to 17.0.38 (@​dependabot[bot])
• #​9702 chore(deps-dev): bump point-of-view from 5.3.0 to 6.2.1 (@​dependabot[bot])
• #​9703 chore(deps-dev): bump lint-staged from 12.4.3 to 12.5.0 (@​dependabot[bot])

Committers: 5

• Antonio T. alias Tony (@​Tony133)
• Daniel De Lucca (@​delucca)
• Matthew Painter (@​mjgp2)
• Sushant Zope (@​sushant9096)
• Volodymyr Tytarenko (@​bovatitar)

v8.4.6

Compare Source

v8.4.5

Compare Source

v8.4.5 (2022-05-13)

Bug fixes

• core
  • #​9456 fix(core): scoped injection with symbol field name (@​MyAeroCode)

Enhancements

• common
  • #​9496 feat(common): improve extensibility on few built-in pipes (@​micalevisk)
• core
  • #​9506 feat(core): enhance circular dependency error message (@​ntibi)

Dependencies

• Other
  • #​9566 chore(deps-dev): bump kafkajs from 1.16.0 to 2.0.0 (@​dependabot[bot])
  • #​9565 chore(deps-dev): bump @​types/node from 17.0.23 to 17.0.33 (@​dependabot[bot])
  • #​9562 chore(deps): bump fast-json-stringify from 3.0.3 to 3.2.0 (@​dependabot[bot])
  • #​9559 chore(deps-dev): bump @​commitlint/cli from 16.2.3 to 16.2.4 (@​dependabot[bot])
  • #​9560 chore(deps-dev): bump supertest from 6.2.2 to 6.2.3 (@​dependabot[bot])
  • #​9561 chore(deps-dev): bump @​grpc/proto-loader from 0.6.9 to 0.6.12 (@​dependabot[bot])
  • #​9563 chore(deps-dev): bump apollo-server-express from 3.6.7 to 3.7.0 (@​dependabot[bot])
  • #​9551 chore(deps-dev): bump mongoose from 6.3.2 to 6.3.3 (@​dependabot[bot])
  • #​9538 chore(deps-dev): bump engine.io-client from 6.1.1 to 6.2.2 (@​dependabot[bot])
  • #​9533 chore(deps-dev): bump fastify-static from 4.6.1 to 4.7.0 (@​dependabot[bot])
  • #​9535 chore(deps-dev): bump amqp-connection-manager from 4.1.2 to 4.1.3 (@​dependabot[bot])
  • #​9537 chore(deps-dev): bump typescript from 4.6.3 to 4.6.4 (@​dependabot[bot])
  • #​9532 chore(deps-dev): bump lint-staged from 12.3.7 to 12.4.1 (@​dependabot[bot])
  • #​9524 chore(deps-dev): bump fastify-multipart from 5.3.1 to 5.4.0 (@​dependabot[bot])
  • #​9530 chore(deps-dev): bump @​commitlint/config-angular from 16.2.3 to 16.2.4 (@​dependabot[bot])
  • #​9531 chore(deps-dev): bump nodemon from 2.0.15 to 2.0.16 (@​dependabot[bot])
  • #​9523 chore(deps-dev): bump @​types/mocha from 9.1.0 to 9.1.1 (@​dependabot[bot])
  • #​9525 chore(deps-dev): bump socket.io-client from 4.4.1 to 4.5.0 (@​dependabot[bot])
  • #​9528 chore(deps-dev): bump core-js from 3.21.1 to 3.22.4 (@​dependabot[bot])
  • #​9512 chore(deps-dev): bump mongoose from 6.2.10 to 6.3.2 (@​dependabot[bot])
  • #​9513 chore(deps-dev): bump clang-format from 1.6.0 to 1.8.0 (@​dependabot[bot])
  • #​9460 chore(deps-dev): bump @​types/chai from 4.3.0 to 4.3.1 (@​dependabot[bot])
  • #​9461 chore(deps-dev): bump amqp-connection-manager from 4.1.1 to 4.1.2 (@​dependabot[bot])
  • #​9466 chore(deps-dev): bump sinon from 13.0.1 to 13.0.2 (@​dependabot[bot])
  • #​9478 chore(deps-dev): bump graphql-tools from 8.2.5 to 8.2.8 (@​dependabot[bot])
  • #​9482 chore(deps-dev): bump @​grpc/grpc-js from 1.6.2 to 1.6.7 (@​dependabot[bot])
  • #​9493 chore(deps): update dependency lodash to 4.17.21 [security] (@​renovate[bot])
  • #​9494 chore(deps): update dependency mem to 4.0.0 [security] (@​renovate[bot])
  • #​9499 chore(deps): bump github/codeql-action from 1 to 2 (@​dependabot[bot])
  • #​9505 chore(deps): update dependency cross-fetch to 3.1.5 [security] (@​renovate[bot])
  • #​9453 chore(deps): bump moment from 2.29.1 to 2.29.2 in /sample/27-scheduling (@​dependabot[bot])
  • #​9454 chore(deps): bump moment from 2.29.1 to 2.29.2 in /sample/26-queues (@​dependabot[bot])
  • #​9447 chore(deps-dev): bump graphql-tools from 8.2.4 to 8.2.5 (@​dependabot[bot])
  • #​9448 chore(deps-dev): bump cache-manager from 3.6.0 to 3.6.1 (@​dependabot[bot])
  • #​9451 chore(deps): bump moment from 2.29.1 to 2.29.2 in /sample/07-sequelize (@​dependabot[bot])
  • #​9452 chore(deps): bump moment from 2.24.0 to 2.29.2 (@​dependabot[bot])
• platform-fastify
  • #​9567 chore(deps): bump middie from 6.0.0 to 6.1.0 (@​dependabot[bot])
  • #​9540 chore(deps): bump fastify-cors from 6.0.3 to 6.1.0 (@​dependabot[bot])
  • #​9526 chore(deps): bump fastify from 3.28.0 to 3.29.0 (@​dependabot[bot])
  • #​9527 chore(deps): bump light-my-request from 4.9.0 to 4.10.1 (@​dependabot[bot])
• platform-socket.io
  • #​9536 chore(deps): bump socket.io from 4.4.1 to 4.5.0 (@​dependabot[bot])
• platform-express
  • #​9549 chore(deps): bump express from 4.17.3 to 4.18.1 (@​dependabot[bot])
• common
  • #​9548 chore(deps): bump axios from 0.26.1 to 0.27.2 (@​dependabot[bot])
• common, core, microservices, platform-express, platform-fastify, platform-socket.io, platform-ws, testing, websockets
  • #​9529 chore(deps): bump tslib from 2.3.1 to 2.4.0 (@​dependabot[bot])

Committers: 6

• Antonio T. alias Tony (@​Tony133)
• Francesco Soncina (@​phra)
• Lutz (@​MyAeroCode)
• Micael Levi L. Cavalcante (@​micalevisk)
• Oleg "OSA413" Sokolov (@​OSA413)
• TIBI Nicolas (@​ntibi)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.