fix(deps): update dependency @nestjs/core to v11 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/core (source)	10.4.22 → 11.1.18

GitHub Vulnerability Alerts

CVE-2026-35515

Impact

What kind of vulnerability is it? Who is impacted?

SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id, event) for the same reason.

Actual impact:

• Event spoofing: Attacker forges SSE events with arbitrary event: types, causing client-side EventSource.addEventListener() callbacks to fire for wrong event types.
• Data injection: Attacker injects arbitrary data: payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization.
• Reconnection corruption: Attacker injects id: fields, corrupting the Last-Event-ID header on reconnection, causing the client to miss or replay events.
• Attack precondition: Requires the developer to map user-influenced data to the type or id fields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.

Patches

Has the problem been patched? What versions should users upgrade to?

Patched in @nestjs/core@11.1.18

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N

---

Release Notes

nestjs/nest (@​nestjs/core)

v11.1.18

Compare Source

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #​16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #​16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #​16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • #​16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #​16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #​16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #​16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #​16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17

Compare Source

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #​16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #​16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #​16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.16

Compare Source

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #​16506 fix(microservices): fix double callback when isdisposed or err is truthy (@​LhonRafaat)

Dependencies

• platform-express
  • #​16507 fix(deps): update dependency multer to v2.1.1 (@​renovate[bot])

Committers: 2

• Lhon (@​LhonRafaat)
• Shahnoor Mujawar (@​shahnoormujawar)

v11.1.15

Compare Source

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in #​16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in #​16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in #​16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in #​16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in #​16474

New Contributors

• @​cuiweixie made their first contribution in #​16401
• @​StNekroman made their first contribution in #​16468

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

v11.1.14

Compare Source

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #​16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #​16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #​16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13

Compare Source

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #​16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #​16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #​16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #​16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #​16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express
  • #​16241 fix(deps): update dependency cors to v2.8.6 (@​renovate[bot])

Committers: 6

• Lee Donghyun (@​devizi0)
• Mykhailo Skrypsky (@​mixator)
• Neo (@​chojs23)
• Praveen Somasundaram (@​som14062005)
• Ricardo Gomes (@​jobnow)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.12

Compare Source

v11.1.12 (2026-01-15)

Bug fixes

• common
  • #​16187 fix(common): regression in loading file-type under Windows OS (@​iamkanguk97)

Dependencies

• platform-ws
  • #​16161 chore(deps): bump ws from 8.18.3 to 8.19.0 (@​dependabot[bot])
• common
  • #​16155 fix(deps): update dependency file-type to v21.3.0 (@​renovate[bot])
• platform-fastify
  • #​16154 fix(deps): update dependency find-my-way to v9.4.0 (@​renovate[bot])

Committers: 3

• Antonio Tripodi (@​Tony133)
• KANGUK LEE (@​iamkanguk97)
• @​miso-kyoungminkim

v11.1.11

Compare Source

v11.1.11 (2025-12-29)

Bug fixes

• platform-fastify
  • #​16135 fix(platform-fastify): middie bypassing through decoded chars (@​kamilmysliwiec)
• core
  • #​16133 fix(core): add missing catch handler for forward-ref provider resolution (@​coti-z)

Dependencies

• platform-socket.io
  • #​16125 fix(deps): update dependency socket.io to v4.8.3 (@​renovate[bot])
  • #​16114 chore(deps): bump socket.io from 4.8.1 to 4.8.2 (@​dependabot[bot])
• platform-fastify
  • #​16130 fix(deps): update dependency @​fastify/static to v9 (@​renovate[bot])
• common
  • #​16127 chore(deps): bump file-type from 21.1.1 to 21.2.0 (@​dependabot[bot])

Committers: 3

• Himanshu Gupta (@​manureja64)
• Kamil Mysliwiec (@​kamilmysliwiec)
• coti (@​coti-z)

v11.1.10

Compare Source

v11.1.10 (2025-12-22)

Bug fixes

• core
  • #​16098 fix(core): instantiate nested transient providers in static context (@​mag123c)
  • #​16005 fix(core): resolve all providers when using resolve() with each option (@​malkovitc)
• microservices
  • #​16072 fix(microservices): fix grpc stream method return type (@​shash-hq)
• common
  • #​16077 fix(common): resolve file-type path explicitly (@​shash-hq)
  • #​16013 fix(common): Support fallbackToMimetype without buffer (@​chenjieya)

Enhancements

• common
  • #​16100 fix(common): improve error handling in FileTypeValidator (@​malkovitc)
  • #​16060 feat(common): add message property to file type validator (@​Jo-Minseok)
  • #​16079 fix: enhance ValidationPipe (@​liu-jin-yi)
• core
  • #​15721 feat(core): add Promise support for SSE handlers (@​pythonjsgo)
• microservices
  • #​15975 feat(microservices): add keepalive support for server side (@​OlegStrokan)
• common, core
  • #​15986 feat(core): add option for async logger compatibility (@​mag123c)

Dependencies

• platform-fastify
  • #​16041 fix(deps): update dependency @​fastify/cors to v11.2.0 (@​renovate[bot])
• platform-express
  • #​16002 fix(deps): update dependency express to v5.2.1 (@​renovate[bot])
• common
  • #​15948 chore(deps): bump file-type from 21.1.0 to 21.1.1 (@​dependabot[bot])

Committers: 11

• Alexander (@​pythonjsgo)
• J_Coder (@​Jo-Minseok)
• Luke Son (@​KAPUIST)
• Oleh Strokan (@​OlegStrokan)
• Praveen Somasundaram (@​som14062005)
• Shashank (@​shash-hq)
• @​chenjieya
• @​giorgikakauridze
• @​mag123c
• chernomortsev evgeny (@​malkovitc)
• liu-jin-yi (@​liu-jin-yi)

v11.1.9

Compare Source

v11.1.9 (2025-11-14)

Bug fixes

• core
  • #​15865 fix(core): make get() throw for implicitly request-scoped trees (@​JoeNutt)

Enhancements

• common
  • #​15863 feat(common): add method options to @​sse decorator (@​TomerSteinberg)

Dependencies

• platform-fastify
  • #​15899 chore(deps): bump fastify from 5.6.1 to 5.6.2 (@​dependabot[bot])

Committers: 4

• Rami (@​JoeNutt)
• Rhynel Algopera (@​dev-rhynel)
• Tomer Steinberg (@​TomerSteinberg)
• WuMingDao (@​WuMingDao)

v11.1.8

Compare Source

v11.1.7

Compare Source

v11.1.6

Compare Source

v11.1.6 (2025-08-07)

Bug fixes

• core
  • #​15504 fix(core): fix race condition in class dependency resolution from imported modules (@​hajekjiri)
  • #​15469 fix(core): attach root inquirer for nested transient providers (@​kamilmysliwiec)
• microservices
  • #​15508 fix(microservices): report correct buffer length in exception (@​kim-sung-jee)
  • #​15492 fix(microservices): fix kafka serilization of class instances (@​LeonBiersch)

Dependencies

• platform-fastify
  • #​15493 chore(deps): bump @​fastify/cors from 11.0.1 to 11.1.0 (@​dependabot[bot])

Committers: 6

• Jiri Hajek (@​hajekjiri)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Leon Biersch (@​LeonBiersch)
• Seongjee Kim (@​kim-sung-jee)
• @​premierbell
• pTr (@​ptrgits)

v11.1.5

Compare Source

v11.1.5 (2025-07-18)

Dependencies

• platform-express
  • #​15425 chore(deps): bump multer from 2.0.1 to 2.0.2 in /packages/platform-express (@​dependabot[bot])

v11.1.4

Compare Source

v11.1.4 (2025-07-16)

Bug fixes

• platform-fastify
  • #​15385 fix(testing): auto-init fastify adapter for middleware registration (@​mag123c)
• core, testing
  • #​15405 fix(core): fix race condition in class dependency resolution (@​hajekjiri)
• core
  • #​15333 fix(core): Make flattenRoutePath return a valid module (@​gentunian)
• microservices
  • #​15305 fix(microservices): Revisit RMQ pattern matching with wildcards (@​getlarge)
  • #​15250 fix(constants): update RMQ_DEFAULT_QUEUE to an empty string (@​EeeasyCode)

Enhancements

• platform-fastify
  • #​14789 feat(fastify): add decorator for custom schema (@​piotrfrankowski)
• common, core, microservices, platform-express, platform-fastify, websockets
  • #​15386 feat: enhance introspection capabilities (@​kamilmysliwiec)
• core
  • #​15374 feat: supporting fine async storage control (@​Farenheith)

Dependencies

• platform-ws
  • #​15350 chore(deps): bump ws from 8.18.2 to 8.18.3 (@​dependabot[bot])
• platform-fastify
  • #​15278 chore(deps): bump fastify from 5.3.3 to 5.4.0 (@​dependabot[bot])

Committers: 11

• Alexey Filippov (@​SocketSomeone)
• EFIcats (@​ext4cats)
• Edouard Maleix (@​getlarge)
• JaeHo Jang (@​mag123c)
• Jiri Hajek (@​hajekjiri)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Khan / 이창민 (@​EeeasyCode)
• Peter F. (@​piotrfrankowski)
• Sebastian (@​gentunian)
• Thiago Oliveira Santos (@​Farenheith)
• jochong (@​jochongs)

v11.1.3

Compare Source

v11.1.3 (2025-06-06)

Bug fixes

• core
  • #​15201 fix(core): gracefully shutdown the app when repl exits (@​dzhlobo)

Enhancements

• common
  • #​15209 feat: add string array type to disposition (@​fjodor-rybakov)
• common, core
  • #​15203 feat(core): defer initialization connected microservice (@​isaryy)

Dependencies

• platform-express
  • #​15232 chore(deps): bump multer from 2.0.0 to 2.0.1 (@​dependabot[bot])

Committers: 3

• Dmitry Zhlobo (@​dzhlobo)
• @​fjodor-rybakov
• @​isaryy

v11.1.2

Compare Source

v11.1.2 (2025-05-26)

Bug fixes

• microservices
  • #​15172 fix(microservices): support custom strategy in async usefactory config (@​mag123c)
  • #​15166 fix(microservice): prevent error logs during redis client shutdown (@​janroker)

Dependencies

• common
  • #​15185 chore(deps): bump file-type from 20.5.0 to 21.0.0 (@​dependabot[bot])
• platform-express
  • #​15159 chore(deps): bump multer from 1.4.5-lts.2 to 2.0.0 (@​dependabot[bot])

Committers: 2

• JaeHo Jang (@​mag123c)
• Jan Roček (@​janroker)

v11.1.1

Compare Source

v11.1.1 (2025-05-14)

Bug fixes

• core
  • #​15056 fix(core): HTTP adapter error mapping (@​maxbronnikov10)
• microservices
  • #​15062 fix(microservices): ensure all redis and amqp client closes properly (@​yatin166)
  • #​15032 fix(microservices): ensure all the amqp connections are closed properly (@​yatin166)
  • #​15020 fix(microservices): ensure all redis connections are closed (@​yatin166)
• core, platform-fastify
  • #​15061 fix(core): bring back getHeader and appendHeader methods from AbstractHttpAdapter (@​micalevisk)
• platform-express
  • #​15010 feat: remove use of pipeline (@​jmcdo29)

Enhancements

• microservices
  • #​14606 feat(microservices): add specific transport id to microservices (@​maxbronnikov10)
  • #​15057 feat(microservices): Allow custom exchangeType as string for plugin compatibility (@​ChangmoKang)
  • #​15072 feat(microservices): Add exchange arguments to RabbitMQ (@​gapon2401)

Dependencies

• platform-fastify
  • #​15129 chore(deps): bump fastify from 5.3.2 to 5.3.3 (@​dependabot[bot])
• platform-ws
  • #​15068 chore(deps): bump ws from 8.18.1 to 8.18.2 (@​dependabot[bot])
• common
  • #​15029 chore(deps): bump file-type from 20.4.1 to 20.5.0 (@​dependabot[bot])

Committers: 7

• Antonio Tripodi (@​Tony133)
• Changmo Kang (Ryan) (@​ChangmoKang)
• Igor Gaponov (@​gapon2401)
• Jackie McDoniel (@​jmcdo29)
• Maxim Bronnikov (@​maxbronnikov10)
• Micael Levi L. Cavalcante (@​micalevisk)
• Yatin Gaikwad (@​yatin166)

v11.1.0

Compare Source

v11.1.0 (2025-04-23)

Enhancements

• microservices
  • #​14540 feat(microservices): add support for topic exchange (rabbitmq) (@​kamilmysliwiec)

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.0.21

Compare Source

v11.0.21 (2025-04-23)

Enhancements

• common
  • #​14995 feat(common): Add fallbackToMimetype support in FileTypeValidator (@​mag123c)

Dependencies

• platform-fastify
  • #​14989 fix(deps): update dependency fastify to v5.3.2 [security] (@​renovate[bot])

Committers: 1

• JaeHo Jang (@​mag123c)

v11.0.20

Compare Source

What's Changed

• refactor(common): Prevent JavaScript being wrapped in eval by @​Borewit in #​14974

New Contributors

• @​Borewit made their first contribution in #​14974

Full Changelog: nestjs/nest@v11.0.19...v11.0.20

v11.0.19

Compare Source

v11.0.18

Compare Source

What's Changed

• chore(common): temporarily move file-type to regular deps d9a69a3

Full Changelog: nestjs/nest@v11.0.17...v11.0.18

v11.0.17

Compare Source

v11.0.16

Compare Source

v11.0.16 (2025-04-11)

• fix(common): use file-type to validate file mimetypes by @​Chathula in #​14881

v11.0.15

Compare Source

v11.0.15 (2025-04-10)

Bug fixes

• platform-fastify
  • #​14935 fix(fastify): methods comparison (@​johaven)

Committers: 1

• Johan Legrand (@​johaven)

v11.0.14

Compare Source

v11.0.14 (2025-04-09)

Bug fixes

• platform-fastify
  • #​14511 fix(fastify): adds the non-standard http methods to the instance (@​johaven)

Committers: 1

• Johan Legrand (@​johaven)

v11.0.13

Compare Source

v11.0.13 (2025-04-03)

Bug fixes

• platform-fastify
  • #​14895 fix(fastify-adapter): global prefix exclusion path handling w/middleware (@​KyleLilly)
• microservices
  • #​14869 fix(microservices): do not re-create client connection once get client by service name (@​mingo023)

Dependencies

• platform-express
  • #​14883 fix(deps): update dependency express to v5.1.0 (@​renovate[bot])
  • #​14817 fix(deps): update dependency multer to v1.4.5-lts.2 (@​renovate[bot])
• platform-fastify
  • #​14861 fix(deps): update dependency fastify to v5.2.2 (@​renovate[bot])
  • #​14864 chore(deps): bump @​fastify/cors from 11.0.0 to 11.0.1 (@​dependabot[bot])

Committers: 2

• Kyle Lilly (@​KyleLilly)
• Minh Ngo (@​mingo023)

v11.0.12

Compare Source

v11.0.12 (2025-03-19)

Bug fixes

• core
  • #​14803 fix(core): infinite loop on broken circular reference (@​kamilmysliwiec)
  • #​14792 dependencies not resolving for request-scoped lazy providers (@​anizozina)

Enhancements

• core
  • #​14802 feat(core): add options to the legacy route converter (@​kamilmysliwiec)

v11.0.11

Compare Source

v11.0.11 (2025-02-28)

Enhancements

• platform-fastify
  • #​14677 perf: Switch deprecated parser querystring for fast-querystring (@​smith558)

Dependencies

• platform-fastify
  • #​14711 fix(deps): update dependency @​fastify/cors to v11 (@​renovate[bot])
• platform-ws
  • #​14689 chore(deps): bump ws from 8.18.0 to 8.18.1 (@​dependabot[bot])

Committers: 1

• Stanislav (Stanley) Modrak (@​smith558)

v11.0.10

Compare Source

v11.0.10 (2025-02-17)

Bug fixes

• microservices
  • #​14605 fix(microservices): server send drops emitted value (@​shprota)
• platform-express
  • #​14640 fix(platform-express) respect custom parser middlewares in Express 5 (@​luddwichr)

v11.0.9

Compare Source

v11.0.9 (2025-02-10)

Bug fixes

• core
  • #​14597 perf(core): use topology tree for calculating distance (depth) (@​kamilmysliwiec)
• common
  • #​14579 fix(common): revert to original value (swc builders regression) (@​kamilmysliwiec)

Committers: 2

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.0.8

Compare Source

v11.0.8 (2025-02-06)

Bug fixes

• common
  • #​14546 fix(common): addLeadingSlash optional group support (@​dcharbonnier)
• platform-express
  • #​14574 fix(platform-express) make check for existing middlewares work with Express 5 (@​luddwichr)

Committers: 4

• Ghassen Rjab (@​GhassenRjab)
• Shay Molcho (@​shaymolcho)
• @​dcharbonnier
• @​luddwichr

v11.0.7

Compare Source

v11.0.7 (2025-01-31)

Bug fixes

• core
  • #​14523 fix: middleware sort issues (@​rbnayax)

Committers: 1

• @​rbnayax

v11.0.6

Compare Source

v11.0.6 (2025-01-27)

Bug fixes

• core
  • #​14522 fix(core): allow optional named wildcard groups (@​kamilmysliwiec)

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.0.5

Compare Source

v11.0.5 (2025-01-23)

Bug fixes

• core
  • #​14495 fix(core): global module middleware should be executed first (@​kamilmysliwiec)

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.0.4

Compare Source

v11.0.3

Compare Source

v11.0.2

Compare Source

v11.0.1

Compare Source

v11.0.0

Compare Source

v11.0.0 (2025-01-16)

Article: https://trilon.io/blog/announcing-nestjs-11-whats-new
Migration guide: https://docs.nestjs.com/migration-guide 👈 👈 👈

⚠️ Node v16 and v18 are no longer supported (>= v20 is required).

Features

• common, core, microservices
  • #​14142 feat(microservices): add status, unwrap, on methods to microservice transporters (clients/servers) (@​kamilmysliwiec)
• • #​14121 feat(common): add json logger, built-in logger improvements (@​kamilmysliwiec)
• common, core
  • #​13336 feat(core): introduce different module opaque key factories (improve bootstrap performance) (@​kamilmysliwiec)
• common, core, microservices, platform-express, platform-fastify, platform-socket.io, platform-ws, testing, websockets
  • #​14238 chore(deps): upgrade to express v5, fastify v5, add legacy route path converter to minimize breaking changes (@​kamilmysliwiec)

Enhancements

• common
  • #​14213 feat(common): add error messages for file validators (@​mag123c)
  • #​14131 feat(common): allow passing number to http error createBody (@​kamilmysliwiec)
  • #​14122 feat(common): add ParseDatePipe, add tsdoc to other pipes (@​kamilmysliwiec)
  • #​12735 feat(common)!: type narrowing allowed injection tokens for @Inject() (@​micalevisk)
  • #​12764 fix(common): apply options to plaintoclass in classserializerinterceptor (@​kmw14641)
  • #​14126 fix(common): type narrowing context parameter on createParamDecorator's callback (@​EeeasyCode)
  • #​13628 chore(class-transformer): plainToClass is deprectated and replaced with plainToInstance (@​tomflorentin)
• microservices
  • #​14200 feat(microservices): support nats queue per handler (@​kamilmysliwiec)
  • #​13924 feat(microservices): add gracefull shutdown option for nats server (@​alinowrouzii)
  • #​12622 feat: allow for microservice options to come from the di container (@​jmcdo29)
  • #​14134 feat(microservices): add max tcp packet buffer length (@​kamilmysliwiec)
  • #​12761 feat(microservices): ability to use a random port for the TCP server (@​PieterScheffers)
• websockets
  • #​14184 feat(websockets): include exception cause to associate error with req (@​kamilmysliwiec)
• common, core, microservices, websockets
  • #​14182 feat(common): introduce intrinsic exception (@​kamilmysliwiec)
• common, core, platform-fastify
  • #​13278 feat(core,common,platform-fastify): add webdav http methods support (@​johaven)
• platform-express
  • #​13407 feat: add multer error fieldname to the exception message (@​mmgroner)
• platform-ws
  • #​14127 feat(ws): introduce message parser for ws adapter (@​CodyTseng)
• platform-fastify
  • #​14115 chore(fastify): update fastify view options interface (@​Tony133)
  • #​14116 refactor(fastify): update fastify static options interface (@​Tony133)
• common, core
  • #​14113 feat(core): allow overriding abortOnError for the select method (@​kamilmysliwiec)

Bug fixes

• core
  • #​14267 fix shutdown hooks order (@​flovouin)
  • #​13388 correction of Reflector types (@​AlexRMU)
  • #​14110 fix(core): Calculate module distance after bindGlobalScope (@​wenlong-chen)
  • #​14111 fix(core): Order of module destroy should be the reverse of module init (@​wenlong-chen)
  • #​14097 fix(core): revisit dependencies w/ possibly higher distance (@​clkamp)
• platform-fastify
  • #​13797 fix(fastify-adapter): middleware not executed when root path is excluded (@​patrickacioli)
• microservices
  • #​14129 fix: rabbitmq bindings and auto-generated queues (@​EeeasyCode)
  • #​14112 fix(microservices): use instance refs for target handler callbacks (@​kamilmysliwiec)
  • #​13468 fix(microservices): delete unnecessary call of grpcClient.start (@​kamilmysliwiec)
• common
  • #​14114 fix(common)!: drop broken support for promises on exports of modules (@​micalevisk)

Other packages in the ecosystem

• config (breaking changes)
  • https://github.com/nestjs/config/releases/tag/4.0.0
• cli
  • https://github.com/nestjs/nest-cli/releases/tag/11.0.0
• cache-manager (breaking changes)
  • https://github.com/nestjs/cache-manager/releases/tag/3.0.0
• cqrs
  • https://github.com/nestjs/cqrs/releases/tag/11.0.0

Dependencies

• Other
  • #​14205 chore(dev-deps): upgrade to eslint v9 (@​kamilmysliwiec)
  • #​14428 fix(deps): update dependency mercurius to v16.0.1 (@​renovate[bot])
  • #​14424 fix(deps): update dependency mongoose to v8.9.5 (@​renovate[bot])
  • #​14410 fix(deps): update dependency @​fastify/static to v8.0.4 (@​renovate[bot])
  • #​14411 fix(deps): update dependency @​fastify/view to v10.0.2 (@​renovate[bot])
  • #​14403 chore(deps): update dependency nats to v2.29.1 (@​renovate[bot])
  • #​14400 fix(deps): update dependency ansis to v3.8.1 (@​renovate[bot])
  • #​14337 chore(deps): update dependency @​fastify/multipart to v9.0.2 (@​renovate[bot])
  • #​14415 fix(deps): update dependency mercurius to v16 (@​renovate[bot])
  • #​14397 chore(deps): update dependency webpack-cli to v6 (@​renovate[bot])
  • #​14384 fix(deps): update dependency typescript to v5.7.3 (@​renovate[bot])
  • #​14378 chore(deps): update dependency core-js to v3.40.0 (@​renovate[bot])
  • #​14377 chore(deps): update dependency @​eslint/js to v9.17.0 (@​renovate[bot])
  • #​14375 chore(deps): update dependency @​grpc/grpc-js to v1.12.5 (@​renovate[bot])
  • #​14370 chore(deps): update dependency ioredis to v5.4.2 (@​renovate[bot])
  • #​14197 chore(deps-dev): bump @​fastify/static from 7.0.4 to 8.0.3 (@​dependabot[bot])
  • #​14345 chore(deps): update dependency eslint to v9 (@​renovate[bot])
  • #​14324 fix(deps): update dependency @​socket.io/redis-adapter to v8.3.0 (@​renovate[bot])
  • #​14363 chore(deps): bump @​fastify/cors from 9.0.1 to 10.0.2 (@​dependabot[bot])
  • #​14354 chore(deps-dev): bump cache-manager from 5.7.6 to 6.3.2 (@​dependabot[bot])
  • [#​1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	3.72s
✅ EDITORCONFIG	editorconfig-checker	2		0	0	0.01s
✅ JSON	jsonlint	1		0	0	0.36s
✅ JSON	npm-package-json-lint	yes		no	no	0.56s
⚠️ JSON	prettier	1	0	1	0	0.41s
✅ JSON	v8r	1		0	0	5.85s
❌ REPOSITORY	checkov	yes		5	no	23.02s
❌ REPOSITORY	devskim	yes		45	no	147.29s
✅ REPOSITORY	dustilock	yes		no	no	1.28s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
❌ REPOSITORY	grype	yes		70	no	50.05s
❌ REPOSITORY	kics	yes		56	no	4.77s
❌ REPOSITORY	kingfisher	yes		1	no	5.15s
❌ REPOSITORY	secretlint	yes		1	no	1.13s
✅ REPOSITORY	syft	yes		no	no	5.04s
⚠️ REPOSITORY	trivy	yes		1	no	12.99s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.52s
✅ REPOSITORY	trufflehog	yes		no	no	4.27s
✅ SPELL	cspell	3		0	0	3.26s
❌ SPELL	lychee	2		1	0	0.49s
✅ YAML	prettier	1	0	0	0	0.38s
✅ YAML	v8r	1		0	0	1.52s
❌ YAML	yamllint	1		4	0	4.88s

Detailed Issues

❌ REPOSITORY / checkov - 5 errors

dockerfile scan results:

Passed checks: 77, Failed checks: 1, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /Dockerfile.
	File: /Dockerfile:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1  | ARG NODE_VERSION=lts-slim
		2  | 
		3  | FROM node:${NODE_VERSION} AS dependencies
		4  | 
		5  | WORKDIR /app
		6  | 
		7  | ENV PNPM_HOME="/pnpm"
		8  | ENV PATH="$PNPM_HOME:$PATH"
		9  | 
		10 | RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store \
		11 |     --mount=type=bind,source=package.json,target=/app/package.json \
		12 |     --mount=type=bind,source=pnpm-lock.yaml,target=/app/pnpm-lock.yaml \
		13 |     corepack enable && \
		14 |     pnpm install --frozen-lockfile --strict-peer-dependencies
		15 | 
		16 | FROM dependencies AS builder
		17 | 
		18 | COPY --chown=node:node src/ /app/src
		19 | 
		20 | RUN --mount=type=bind,source=package.json,target=/app/package.json \
		21 |     --mount=type=bind,source=nest-cli.json,target=/app/nest-cli.json \
		22 |     --mount=type=bind,source=tsconfig.json,target=/app/tsconfig.json \
		23 |     --mount=type=bind,source=tsconfig.build.json,target=/app/tsconfig.build.json \
		24 |     pnpm build
		25 | 
		26 | FROM builder AS pruner
		27 | 
		28 | RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store \
		29 |     --mount=type=bind,source=package.json,target=/app/package.json \
		30 |     --mount=type=bind,source=pnpm-lock.yaml,target=/app/pnpm-lock.yaml \
		31 |     pnpm prune --prod --ignore-scripts
		32 | 
		33 | FROM gcr.io/distroless/nodejs22-debian12:nonroot
		34 | 
		35 | WORKDIR /app
		36 | 
		37 | ENV PORT=3000
		38 | 
		39 | COPY --chown=nonroot:nonroot --from=pruner /app/node_modules ./node_modules
		40 | COPY --chown=nonroot:nonroot --from=builder /app/dist .
		41 | COPY --chown=nonroot:nonroot CHANGELOG.md LICENSE package.json /app/
		42 | 
		43 | EXPOSE ${PORT}
		44 | 
		45 | HEALTHCHECK --interval=30s --timeout=2s --start-period=10s --retries=2 CMD [ "/nodejs/bin/node", "bin/health-checker.js" ]
		46 | 
		47 | CMD ["main.js"]
github_actions scan results:

Passed checks: 212, Failed checks: 4, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(CI)
	File: /.github/workflows/ci.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Release)
	File: /.github/workflows/release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(CodeQL)
	File: /.github/workflows/codeql-analysis.yml:27-28
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Publish)
	File: /.github/workflows/publish.yml:11-12

❌ REPOSITORY / devskim - 45 errors

eee9c9fefee9a77bc79f12af1eecef9f9c3e79fa94fe7ef0e9c393a7e06c9a7c6af6e9ee3322efb3fbbb34fa8393e30734c8673bf77768203b34ba83877bc2e69f3edc3bf9f464efe4deeeeedee9fd03e2c4fbcf9e7e7a7c7aef806688a8754f84e6d32727bb4ff6ee3fdd3d79f894d8f0e0de8393a79f125d4e9eecdfdf2366b827b87dfa74ef805e7e7272efe9e9b3e3939367bbf788140ff630ea9353c2f444a09d9e1c936c1e3f7d4a442372ec7e7a40b376ef606fe71ef1170df9290fe1c1fe931d921ae2937bfb27bb9f9eee7cba73eff8c9e9fec983079f9e9e3e7970ffe4d13eb7fbf4d993a70f9fdc7b704ca3be7ff0ecc1dec983273b4f7677770f8e1fdebf77ff0981032f3d3878ba7342f4dcdd39bef7e993a7bb249e9f3e7d422cbefbe9318defdea7cf78100f48ad7c7a7af0ec64e7c983e3672433243aa7c77b3407f76970273ba7a78feea3d9b383bd27c4fcc7f4ff9d27c46544a307079f3ea119d9bdf7e401491d8ff560e7c1dee983277bbbc446f79e3e3938b97ff0e0fec1930734ddc4243468e1a583fbfbc7c7a7d4d3eefde39dfdd3839367fbbb4f1ed20c1e3c39d83b38dd3d7df8681fcd3e7db6f78438617f77fff4f8094d1d29076284d31312d59d7bbbc4c34cb983837d12d09387bbcf200e3411245aa459ee3d7d76ffe4d3873bc77b4439347bb2b3f780e4f3e421217eb2f7ece983e3270fee51934f1f1089779e3eb92fb811390f4e49d68f1f7e4af2\"","markdown":"`\"1f8b0800000000000400edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227676f6eeef3f7df0e4deb3ddfb4fee3f7d7a707ab0bbb7f7f4e1bdbde307a7270f3e3dd8f9f4d1ee6f9cececdcdb3978f0706f677fe7e1fefecebdfbf74e4f77f69f3d7c72bcff6cf7f4f8f4e4e19347f7b8d9c1ee83e3d307bb274f8f9f3e3c7876bcbbf3e9c3677b27fba73bf79e3c3cd87ff850a09ddc7ffaecf8e0fec3a7fbbb9f3e39dd39387978efe0e4d3ddbdfdfbc7270fee3d7c72c0d076a9a34f1f3c797afaf0c1b3d3bdbdbd9d9ddda727f7ef3dd83b3d7ef6f0d367a727cf1eeda1d9def1c9a79f3e79b6ffe9eea727f7768e9fed3f397d7af0f0d3e3e37b0feedf3fbeff644fa0ed9d9cdcdb23fcf61fec1cd3581fecef3ffd7467e7e1fde307f78f3fdd3939b8c7b8ed3ed939a5913ed8db7b72fce0de93277b7bbb4f9eecef3f38397eba77fa908874fc688fdb3d7d787cf2ecc92e11e1e9331acabd277bc7f7ee3fdbd9bff78046f1f4e1b3270ceede936707f79e3d78f0f4e1c393d383e3fdfbfbf73edd7ff6e9d3d3bdfddd7bbb4f08456976f2e4fede937b4f77ef9d1e3fbc77eff4c1e9dece8393873b0f3ffdf478f7ded383e31369f6f4d9bd87bb4ff61f3cfdf494fe77fff4e9c33d1af683dde39dd34fef1d9cee1d73339aa5ddddfd87f79eed1d3ca1a97878faece993d393270f3f3da1160ff7efeded3ffa14cdf6f6ee1f9cde3bb9b7ffe4e1d3ddbd4f4f1fee9c3cb8fff0c9938784cea7279fde13faee3f7bb0bbf3e0ded3e327cfee3ffd74efc9a734d8dd9d83bd67fb07f74ef7778e8fef337defef12dc7bc44df71f3ebc47487ffaf4d9cea74f771eeedd7b76effece1e61c7b8dddfdfdf3b797aff00f0ee3f20b2eede7ff6708fa6f93ecde1139a63a1db7d747472b0f7e9d3834fefdf279e20f4f63f059f3c78b6777aefe9fda7d2ece1ceb3074f4f4e1eec3cf9f4defea7fbc7a734cb44fb7b279fee3fdd7b70b0fbe9a33d46eee1c1a7a7c7f7eeed9f7cfae0607fefd9a73455f74ff70e9eed3fbc7ffaecd3fb270702eee9c9fefee9a77bc79f12af1eecef9f9c3e79fa94fe7ef0e9c393a7e06c9a7c6af6e9ee3322efb3fbbb34fa8393e30734c8673bf77768203b34ba83877bc2e69f3edc3bf9f464efe4deeeeedee9fd03e2c4fbcf9e7e7a7c7aef806688a8754f84e6d32727bb4ff6ee3fdd3d79f894d8f0e0de8393a79f125d4e9eecdfdf2366b827b87dfa74ef805e7e7272efe9e9b3e3939367bbf788140ff630ea9353c2f444a09d9e1c936c1e3f7d4a442372ec7e7a40b376ef606fe71ef1170df9290fe1c1fe931d921ae2937bfb27bb9f9eee7cba73eff8c9e9fec983079f9e9e3e7970ffe4d13eb7fbf4d993a70f9fdc7b704ca3be7ff0ecc1dec983273b4f7677770f8e1fdebf77ff0981032f3d3878ba7342f4dcdd39bef7e993a7bb249e9f3e7d422cbefbe9318defdea7cf78100f48ad7c7a7af0ec64e7c983e3672433243aa7c77b3407f76970273ba7a78feea3d9b383bd27c4fcc7f4ff9d27c46544a307079f3ea119d9bdf7e401491d8ff560e7c1dee983277bbbc446f79e3e3938b97ff0e0fec1930734ddc4243468e1a583fbfbc7c7a7d4d3eefde39dfdd3839367fbbb4f1ed20c1e3c39d83b38dd3d7df8681fcd3e7db6f78438617f77fff4f8094d1d29076284d31312d59d7bbbc4c34cb983837d12d09387bbcf200e3411245aa459ee3d7d76ffe4d3873bc77b4439347bb2b3f780e4f3e421217eb2f7ece983e3270fee51934f1f1089779e3eb92fb811390f4e49d68f1f7e4af2\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 4000 characters out of 313712)

❌ REPOSITORY / grype - 70 errors

(16th)  < 0.1  
tmp                   0.0.33     0.2.4     npm   GHSA-52f5-9888-hmc6  Low       < 0.1% (25th)  < 0.1  
yaml                  2.8.2      2.8.3     npm   GHSA-48c2-rrv3-qjmp  Medium    < 0.1% (16th)  < 0.1  
brace-expansion       1.1.11     1.1.12    npm   GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (25th)  < 0.1  
brace-expansion       2.0.1      2.0.2     npm   GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (25th)  < 0.1  
minimatch             3.1.2      3.1.3     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (7th)   < 0.1  
minimatch             7.4.6      7.4.8     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (7th)   < 0.1  
minimatch             9.0.5      9.0.7     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (7th)   < 0.1  
minimatch             3.1.2      3.1.3     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (6th)   < 0.1  
minimatch             7.4.6      7.4.7     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (6th)   < 0.1  
minimatch             9.0.5      9.0.6     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (6th)   < 0.1  
qs                    6.14.0     6.14.2    npm   GHSA-w7fw-mjwx-w883  Low       < 0.1% (18th)  < 0.1  
minimatch             3.1.2      3.1.4     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (6th)   < 0.1  
minimatch             7.4.6      7.4.8     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (6th)   < 0.1  
minimatch             9.0.5      9.0.7     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (6th)   < 0.1  
lodash                4.17.21    4.17.23   npm   GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (8th)   < 0.1  
lodash-es             4.17.21    4.17.23   npm   GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (8th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
multer                2.0.2      2.1.0     npm   GHSA-v52c-386h-88mc  High      < 0.1% (4th)   < 0.1  
multer                2.0.2      2.1.0     npm   GHSA-xf7r-hgr6-v32p  High      < 0.1% (4th)   < 0.1  
undici                6.14.1     6.21.2    npm   GHSA-cxrh-j4jr-qwg3  Low       < 0.1% (14th)  < 0.1  
js-yaml               3.14.1     3.14.2    npm   GHSA-mh29-5h37-fv8m  Medium    < 0.1% (5th)   < 0.1  
js-yaml               4.1.0      4.1.1     npm   GHSA-mh29-5h37-fv8m  Medium    < 0.1% (5th)   < 0.1  
undici                6.14.1     6.23.0    npm   GHSA-g9mf-h72j-4rw9  Medium    < 0.1% (5th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-phc3-fgpg-7m6h  Medium    < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
ajv                   8.12.0     8.18.0    npm   GHSA-2g4f-4pwh-qvx6  Medium    < 0.1% (5th)   < 0.1  
jws                   3.2.2      3.2.3     npm   GHSA-869p-cjfg-cm3x  High      < 0.1% (1st)   < 0.1  
diff                  4.0.2      4.0.4     npm   GHSA-73rr-hh4g-fpgx  Low       < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
webpack               5.97.1     5.104.0   npm   GHSA-38r7-794h-5758  Low       < 0.1% (1st)   < 0.1  
webpack               5.97.1     5.104.1   npm   GHSA-8fgc-7cc6-rx7x  Low       < 0.1% (1st)   < 0.1  
serialize-javascript  6.0.1      7.0.3     npm   GHSA-5c6j-r48x-rmvq  High      N/A            N/A
[0049] ERROR discovered vulnerabilities at or above the severity threshold

(Truncated to last 4000 characters out of 7528)

❌ REPOSITORY / kics - 56 errors

/var/lib/apt/lists/*;
		005: 


	[3]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


	[4]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
		005:     && apt-get -y install --no-install-recommends silversearcher-ag httpie \


	[5]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


Passwords And Secrets - Password in URL, Severity: HIGH, Results: 3
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:95

		094:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		095:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper
		096:           NODE_ENV: production


	[2]: .devcontainer/docker-compose.yml:24

		023:     environment:
		024:       - DATABASE_URL=<SECRET-MASKED-ON-PURPOSE>:5432/postgres
		025: 


	[3]: .github/workflows/ci.yml:89

		088:         env:
		089:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper
		090:       - name: Run the server 🚀


Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:94

		093:           PORT: 3000
		094:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		095:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper


	[2]: .github/workflows/ci.yml:33

		032:         env:
		033:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		034:       - name: Report test results 📝


Passwords And Secrets - Generic Password, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .devcontainer/docker-compose.yml:32

		031:     environment:
		032:       POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		033:       POSTGRES_USER: postgres


	[2]: .github/workflows/ci.yml:63

		062:           POSTGRES_USER: armband
		063:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		064:           POSTGRES_DB: sharper


Missing User Instruction, Severity: HIGH, Results: 2
Description: Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
Platform: Dockerfile
CWE: 250
Risk Score: 7.7
Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f

	[1]: .devcontainer/Dockerfile:1

		001: FROM mcr.microsoft.com/devcontainers/javascript-node:1-18-bullseye
		002: 
		003: # [Optional] Uncomment this section to install additional OS packages.


	[2]: Dockerfile:33

		032: 
		033: FROM gcr.io/distroless/nodejs22-debian12:nonroot
		034: 



Results Summary:
CRITICAL: 0
HIGH: 9
MEDIUM: 21
LOW: 24
INFO: 2
TOTAL: 56

A new version 'v2.1.20' of KICS is available, please consider updating

(Truncated to last 4000 characters out of 17401)

❌ REPOSITORY / kingfisher - 1 error

New Kingfisher release 1.95.0 available
 INFO kingfisher: Launching with 8 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 453 rules
 INFO kingfisher::scanner::runner: Starting secret validation phase...
POSTGRES URL WITH HARDCODED PASSWORD => [KINGFISHER.POSTGRES.1]
 |Finding.......: [REDACTED:9cb79fee]
 |Fingerprint...: 2034115162828868254
 |Confidence....: medium
 |Entropy.......: 3.87
 |Validation....: Inactive Credential
 |__Response....: Postgres connection failed.
 |Language......: YAML
 |Line Num......: 24
 |Path..........: ./.devcontainer/docker-compose.yml


==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 1
 |__Skipped Validations.......: 0
 |Rules Applied...............: 453
 |__Blobs Scanned.............: 287
 |Bytes Scanned...............: 7.84 MiB
 |Scan Duration...............: 182ms 298us 420ns
 |Scan Date...................: 2026-04-15 08:30:07 +00:00
 |Kingfisher Version..........: 1.84.0
 |__Latest Version............: 1.95.0
New Kingfisher release 1.95.0 available

❌ SPELL / lychee - 1 error

[403] https://www.npmjs.com/support | Network error: Forbidden
📝 Summary
---------------------
🔍 Total............4
✅ Successful.......1
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........2
❓ Unknown..........0
🚫 Errors...........1

Errors in pnpm-lock.yaml
[403] https://www.npmjs.com/support | Network error: Forbidden

❌ REPOSITORY / secretlint - 1 error

.devcontainer/docker-compose.yml
  24:21  error  [PostgreSQLConnection] found PostgreSQL connection string: ****************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

.github/workflows/ci.yml
  89:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string
  95:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 3 problems (3 errors, 0 warnings, 0 infos)

❌ YAML / yamllint - 4 errors

pnpm-lock.yaml
  1:1       warning  missing document start "---"  (document-start)
  37:501    error    line too long (545 > 500 characters)  (line-length)
  10181:501 error    line too long (537 > 500 characters)  (line-length)
  10316:501 error    line too long (584 > 500 characters)  (line-length)

⚠️ JSON / prettier - 1 error

[error] Cannot find package 'prettier-plugin-toml' imported from noop.js

⚠️ REPOSITORY / trivy - 1 error

│        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-22036 │          │        │                   │ 7.18.2, 6.23.0                                          │ undici: Undici: Denial of Service via excessive              │
│                 │                │          │        │                   │                                                         │ decompression steps                                          │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-22036                   │
│                 ├────────────────┼──────────┤        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2024-38372 │ LOW      │        │                   │ 6.19.2                                                  │ Undici vulnerable to data leak when using                    │
│                 │                │          │        │                   │                                                         │ response.arrayBuffer()                                       │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2024-38372                   │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2025-47279 │          │        │                   │ 5.29.0, 6.21.2, 7.5.0                                   │ undici: Undici Memory Leak with Invalid Certificates         │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2025-47279                   │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

.devcontainer/Dockerfile (dockerfile)
=====================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds-0002
────────────────────────────────────────


DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



Dockerfile (dockerfile)
=======================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds-0002
────────────────────────────────────────



📣 Notices:
  - Version 0.69.3 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

(Truncated to last 4000 characters out of 25708)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.