Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-FASTIFY-15182642 - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-FASTIFY-15182641 - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
This Snyk PR attempts to remediate reported npm dependency vulnerabilities by upgrading several NestJS-related dependencies (notably GraphQL and Fastify integrations), which cascades into major-version shifts across the Nest/Fastify/GraphQL stack.
Changes:
- Upgraded
@nestjs/commonto^9.0.0. - Upgraded
@nestjs/graphqlto^13.2.4. - Upgraded
@nestjs/platform-fastifyto^11.1.13and updated the lockfile accordingly.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Bumps selected NestJS packages to newer majors to address Snyk-reported vulns. |
| package-lock.json | Regenerated dependency tree reflecting the NestJS/Fastify/GraphQL upgrades. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@nestjs/graphql": "^13.2.4", | ||
| "@nestjs/microservices": "^7.6.12", | ||
| "@nestjs/platform-fastify": "^7.6.12", | ||
| "@nestjs/platform-fastify": "^11.1.13", | ||
| "@types/sinon": "^9.0.10", | ||
| "apollo-server-fastify": "^2.21.0", |
There was a problem hiding this comment.
@nestjs/graphql@13.x no longer bundles an Apollo integration; it expects a GraphQL driver package (e.g., @nestjs/apollo) to be installed/used. This repo doesn’t currently depend on @nestjs/apollo, and still has apollo-server-fastify@2.x pinned, which is unlikely to be compatible with the upgraded Nest GraphQL stack. Add the appropriate Nest GraphQL driver dependency (and adjust GraphQLModule configuration accordingly), or pin @nestjs/graphql to a version compatible with the existing Apollo Server v2 setup.
| "@nestjs/common": "^9.0.0", | ||
| "@nestjs/config": "^0.6.3", | ||
| "@nestjs/core": "^7.5.1", | ||
| "@nestjs/graphql": "^7.9.11", | ||
| "@nestjs/graphql": "^13.2.4", | ||
| "@nestjs/microservices": "^7.6.12", | ||
| "@nestjs/platform-fastify": "^7.6.12", | ||
| "@nestjs/platform-fastify": "^11.1.13", |
There was a problem hiding this comment.
The updated NestJS package versions are mutually incompatible: @nestjs/common@^9 is now out of sync with @nestjs/core@^7 / @nestjs/microservices@^7 / @nestjs/config@^0.6, and the upgraded @nestjs/platform-fastify@^11 + @nestjs/graphql@^13 require newer Nest majors. This will lead to npm peer-dependency resolution failures and/or runtime incompatibilities. Align all @nestjs/* packages (and their peers like rxjs) to a single compatible major version, or downgrade the upgraded packages to versions compatible with Nest v7.
2 participants
Snyk has created this PR to fix 5 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
SNYK-JS-FASTIFY-15182642
SNYK-JS-AJV-15274295
SNYK-JS-FASTIFY-15182641
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Allocation of Resources Without Limits or Throttling