Skip to content

fix(deps): update dependency @nestjs/core to ^11.1.18 [security]#138

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nestjs-core-vulnerability
Open

fix(deps): update dependency @nestjs/core to ^11.1.18 [security]#138
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nestjs-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@nestjs/core (source) ^11^11.1.18 age confidence
@nestjs/core (source) ^11.1.6^11.1.18 age confidence

@​nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2026-35515 / GHSA-36xv-jgw5-4q75

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id, event) for the same reason.

Actual impact:

  • Event spoofing: Attacker forges SSE events with arbitrary event: types, causing client-side EventSource.addEventListener() callbacks to fire for wrong event types.
  • Data injection: Attacker injects arbitrary data: payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization.
  • Reconnection corruption: Attacker injects id: fields, corrupting the Last-Event-ID header on reconnection, causing the client to miss or replay events.
  • Attack precondition: Requires the developer to map user-influenced data to the type or id fields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.
Patches

Has the problem been patched? What versions should users upgrade to?

Patched in @nestjs/core@11.1.18

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


@​nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2026-35515 / GHSA-36xv-jgw5-4q75

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id, event) for the same reason.

Actual impact:

  • Event spoofing: Attacker forges SSE events with arbitrary event: types, causing client-side EventSource.addEventListener() callbacks to fire for wrong event types.
  • Data injection: Attacker injects arbitrary data: payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization.
  • Reconnection corruption: Attacker injects id: fields, corrupting the Last-Event-ID header on reconnection, causing the client to miss or replay events.
  • Attack precondition: Requires the developer to map user-influenced data to the type or id fields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.
Patches

Has the problem been patched? What versions should users upgrade to?

Patched in @nestjs/core@11.1.18

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nestjs/nest (@​nestjs/core)

v11.1.18

Compare Source

v11.1.18 (2026-04-03)
Bug fixes
Dependencies
Committers: 6

v11.1.17

Compare Source

v11.1.17 (2026-03-16)
Enhancements
Bugs
  • platform-fastify
    • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) cbdf737 (@​kamilmysliwiec)
Dependencies
Committers: 3

v11.1.16

Compare Source

v11.1.16 (2026-03-05)
Bug fixes
  • microservices
Dependencies
Committers: 2

v11.1.15

Compare Source

What's Changed
New Contributors

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

v11.1.14

Compare Source

v11.1.14 (2026-02-17)
Bug fixes
Enhancements
Committers: 5

v11.1.13

Compare Source

v11.1.13 (2026-02-03)
Bug fixes
  • common
Enhancements
Dependencies
Committers: 6

v11.1.12

Compare Source

v11.1.12 (2026-01-15)
Bug fixes
Dependencies
Committers: 3

v11.1.11

Compare Source

v11.1.11 (2025-12-29)
Bug fixes
Dependencies
Committers: 3

v11.1.10

Compare Source

v11.1.10 (2025-12-22)
Bug fixes
Enhancements
Dependencies
Committers: 11

v11.1.9

Compare Source

v11.1.9 (2025-11-14)
Bug fixes
Enhancements
Dependencies
Committers: 4

v11.1.8

Compare Source

v11.1.8 (2025-10-27)
Bug fixes
Committers: 2

v11.1.7

Compare Source

v11.1.7 (2025-10-21)
Bug fixes
Enhancements
Dependencies
Committers: 9

v11.1.6

Compare Source

v11.1.6 (2025-08-07)
Bug fixes
Dependencies
Committers: 6

v11.1.5

Compare Source

v11.1.5 (2025-07-18)
Dependencies

v11.1.4

Compare Source

v11.1.4 (2025-07-16)
Bug fixes
Enhancements
Dependencies
Committers: 11

v11.1.3

Compare Source

v11.1.3 (2025-06-06)
Bug fixes
Enhancements
Dependencies
Committers: 3

v11.1.2

Compare Source

v11.1.2 (2025-05-26)
Bug fixes
Dependencies
Committers: 2

v11.1.1

Compare Source

v11.1.1 (2025-05-14)
Bug fixes
Enhancements
Dependencies
Committers: 7

v11.1.0

Compare Source

v11.1.0 (2025-04-23)
Enhancements
Committers: 1

v11.0.21

Compare Source

v11.0.21 (2025-04-23)
Enhancements
Dependencies
Committers: 1

v11.0.20

Compare Source

What's Changed
New Contributors

Full Changelog: nestjs/nest@v11.0.19...v11.0.20

v11.0.19

Compare Source

v11.0.18

Compare Source

What's Changed
  • chore(common): temporarily move file-type to regular deps d9a69a3

Full Changelog: nestjs/nest@v11.0.17...v11.0.18

v11.0.17

Compare Source

v11.0.16

Compare Source

v11.0.16 (2025-04-11)

v11.0.15

Compare Source

v11.0.15 (2025-04-10)
Bug fixes
Committers: 1

v11.0.14

Compare Source

v11.0.14 (2025-04-09)
Bug fixes
  • platform-fastify
Committers: 1

v11.0.13

Compare Source

v11.0.13 (2025-04-03)
Bug fixes
  • platform-fastify
  • microservices
    • #​14869 fix(microservices): do not re-create client connection once get client by service name (@​mingo023)
Dependencies
Committers: 2

v11.0.12

Compare Source

v11.0.12 (2025-03-19)
Bug fixes
Enhancements

v11.0.11

Compare Source

v11.0.11 (2025-02-28)
Enhancements
  • platform-fastify
Dependencies
Committers: 1

v11.0.10

Compare Source

v11.0.10 (2025-02-17)
Bug fixes

v11.0.9

Compare Source

v11.0.9 (2025-02-10)
Bug fixes
Committers: 2

v11.0.8

Compare Source

v11.0.8 (2025-02-06)
Bug fixes
Committers: 4

v11.0.7

Compare Source

v11.0.7 (2025-01-31)
Bug fixes
Committers: 1

v11.0.6

Compare Source

v11.0.6 (2025-01-27)
Bug fixes
Committers: 1

v11.0.5

Compare Source

v11.0.5 (2025-01-23)
Bug fixes
Committers: 1

v11.0.4

Compare Source

v11.0.3

Compare Source

v11.0.2

Compare Source

v11.0.1

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 8140c60 to e2f850c Compare April 8, 2026 16:48
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from e66df00 to e02f4d8 Compare April 16, 2026 09:24
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from e02f4d8 to 50cace1 Compare April 16, 2026 17:53
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from 50cace1 to a8bf248 Compare April 16, 2026 21:49
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 16, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 1e1ca8a to cad227c Compare April 19, 2026 16:54
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 19, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 2700509 to fe6cb38 Compare April 21, 2026 23:03
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 21, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from c324996 to 69aec72 Compare April 23, 2026 20:05
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 23, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from c6ab286 to 741874d Compare April 29, 2026 23:39
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 29, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 0c9f346 to 712193f Compare April 30, 2026 17:57
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from 712193f to 6d73b1a Compare May 12, 2026 10:42
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.19 [security] May 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from 6d73b1a to 45d59a9 Compare May 12, 2026 17:53
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.19 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] May 12, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.21 [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 91cd323 to e6eb5a8 Compare May 14, 2026 22:05
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.21 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] May 14, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.21 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 22bcf7e to 8bfef5f Compare May 18, 2026 23:56
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.21 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from 8bfef5f to c26bcc0 Compare May 22, 2026 18:16
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.23 [security] May 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from c26bcc0 to 9637d86 Compare May 22, 2026 23:46
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.23 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] May 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from 9637d86 to f5bcf39 Compare May 28, 2026 18:49
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.24 [security] May 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from f5bcf39 to c898926 Compare May 28, 2026 23:53
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.24 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] May 28, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.18 [security] fix(deps): update dependency @nestjs/core to ^11.1.27 [security] Jun 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from c898926 to a9f1ae5 Compare June 21, 2026 23:47
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch from a9f1ae5 to 167c0fb Compare June 22, 2026 01:47
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/core to ^11.1.27 [security] fix(deps): update dependency @nestjs/core to ^11.1.18 [security] Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants