chore(security): patch 16 Dependabot alerts

[PMerlet]

Summary

16 fixed, 0 ignored, 9 deferred, 7 resolutions added.

Bumps @nestjs/* (direct dep, _example + agent devDeps) and axios (forest-cloud direct dep) to patched versions, plus Yarn resolutions for transitive vulnerabilities that have no reachable parent bump in the tree.

Fixed

Alert	Package	Ecosystem	From → To	Severity	What was bumped
#329	axios	npm	1.13.5 → 1.15.2	medium	direct dep: packages/forest-cloud ^1.13.5 → ^1.15.0
#328	follow-redirects	npm	1.15.11 → 1.16.0	medium	root resolutions: >=1.16.0 (transitive via forest-cloud#axios)
#326	langsmith	npm	0.5.11 → 0.5.21	medium	root resolutions: >=0.5.19 (transitive via ai-proxy#@langchain/core)
#324	lodash	npm	4.17.23 → 4.18.1	high	root resolutions: >=4.18.0 (transitive, many parents)
#323	lodash	npm	4.17.23 → 4.18.1	medium	root resolutions: >=4.18.0 (same bump as #324)
#322	hono	npm	4.12.9 → 4.12.14	medium	root resolutions: >=4.12.14 (transitive via @modelcontextprotocol/sdk)
#321	hono	npm	4.12.9 → 4.12.14	medium	same bump as #322
#320	hono	npm	4.12.9 → 4.12.14	medium	same bump as #322
#319	hono	npm	4.12.9 → 4.12.14	medium	same bump as #322
#318	hono	npm	4.12.9 → 4.12.14	medium	same bump as #322
#317	@hono/node-server	npm	1.19.12 → 1.19.14	medium	root resolutions: ^1.19.13 (transitive via @modelcontextprotocol/sdk)
#316	@nestjs/core	npm	10.4.20 → 11.1.19	medium	direct dep: packages/_example ^10.4.16 → ^11.1.18
#315	@nestjs/core	npm	10.4.20 → 11.1.19	medium	direct devDep: packages/agent ^10.4.16 → ^11.1.18
#314	@nestjs/core	npm	10.4.20 → 11.1.19	medium	direct dep: packages/_example ^10.4.16 → ^11.1.18
#313	lodash-es	npm	4.17.23 → 4.18.1	medium	root resolutions: >=4.18.0 (transitive via @qiwi/multi-semantic-release)
#312	lodash-es	npm	4.17.23 → 4.18.1	high	same bump as #313

Ignored

None.

Deferred

Skipped by the 7-day age gate (created less than 7 days ago at 2026-04-22 12:55 UTC):

• docs(api-reference): add more api reference for actions/collections & builder #338 axios (2026-04-17)
• fix(decorators): remove useless isRequired field #337 @fastify/middie (2026-04-16)
• fix(typing-generator): add simple quote around the collection and field name to support unconventional characters  #336 @fastify/middie (2026-04-16)
• feat(firebase): allow to declare collections and their schema #335 hono (2026-04-16)
• docs(replaceFieldWriting): improve the documentation for the replaceFieldWriting #334 langsmith (2026-04-16)
• chore(firebase): add new empty classes for firebase #333 @fastify/express (2026-04-16)
• chore: create firebase package directory #332 @fastify/express (2026-04-16)
• fix(datasource-sequelize): serialize record to transform date to iso string  #331 @fastify/express (2026-04-16)
• chore: allow to create alpha and beta branches specific for a package #330 @fastify/express (2026-04-16)

Resolutions added

Seven entries added to the root resolutions block. For each, the nearest ancestor in the dep graph could not pull in the patched sub-dep, so a scoped pin was used.

• feat: ignore frontend pagination and sort for csv exports #328 follow-redirects pinned to >=1.16.0. Parent chain attempted: forest-cloud#axios#follow-redirects. axios@^1.15.0 still declares follow-redirects "^1.15.11", which keeps 1.15.11 resolvable; the only way to force ≥1.16.0 was a resolution. Unblock later: drop the pin when axios publishes a release declaring follow-redirects ≥1.16.0.
• feat: parse both cursors and offset pagination in routes #326 langsmith pinned to >=0.5.19. Parent chain attempted: ai-proxy#@langchain/core#langsmith and ai-proxy#@langchain/community#@langchain/classic#langsmith. @langchain/core@1.1.15 (the exact-pinned version in ai-proxy) declares langsmith ">=0.4.0 <1.0.0" and @langchain/classic repeats the same range, so yarn happily kept 0.5.11. Bumping @langchain/core itself would be a pin change with a broader API-surface risk than the scoped resolution. Unblock later: when @langchain/core publishes a release raising its langsmith floor, drop the pin.
• feat(mongoose): add one to one relation #324 / docs: add mongoose documentation #323 lodash pinned to >=4.18.0. Parent chains attempted: 15+ ancestors (lerna, sequelize, inquirer, jsonapi-serializer, markdown-link-check, forest-cli, @commitlint, @semantic-release/*, prettier-eslint/vue-eslint-parser, ip-address, @oclif/plugin-warn-if-update-available). All of them declare lodash "^4.17.x"; 4.18 is still on the 4.x line, so the range accepts it, but no ancestor release yet forces it. Bumping every ancestor individually is not viable (many are infrequently-released CLI tooling). A root resolution is the smallest blast radius. Unblock later: drop the pin once the major ancestors (lerna, sequelize, forest-cli, semantic-release plugins) ship releases with lodash "^4.18.0".
• fix(permissions): switch read to browse for csv permissions #313 / fix(agent): import fastify/express only if needed #312 lodash-es pinned to >=4.18.0. Parent chain attempted: @qiwi/multi-semantic-release#semantic-release#@semantic-release/{commit-analyzer,github,npm,release-notes-generator}#lodash-es. All four @semantic-release/* plugins declare lodash-es "^4.17.21" and have not released a version raising the floor; bumping @qiwi/multi-semantic-release does not close it either. Unblock later: drop when @semantic-release/* plugins ship a release with lodash-es "^4.18.0".
• chore(datasource sequelize): refactor QueryConverter #322–chore(example): re add mongoose datasource inside example #318 hono pinned to >=4.12.14. Parent chain attempted: ai-proxy#@langchain/mcp-adapters#@modelcontextprotocol/sdk#hono (also surfaced via @modelcontextprotocol/sdk used directly by mcp-server through @langchain/mcp-adapters). @modelcontextprotocol/sdk declares hono "^4.11.4"; 4.12.14 is within that range but the SDK has not re-published to force it. No single ancestor version exists that requires ≥4.12.14. Unblock later: drop when @modelcontextprotocol/sdk bumps its hono floor.
• chore(force-release): fix datasource mongoose package definition #317 @hono/node-server pinned to ^1.19.13. Parent chain attempted: ai-proxy#@langchain/mcp-adapters#@modelcontextprotocol/sdk#@hono/node-server. Same shape as chore(datasource sequelize): refactor QueryConverter #322–chore(example): re add mongoose datasource inside example #318. Initially tried >=1.19.13, which resolved to 2.0.0 (major), so tightened to ^1.19.13 to stay on the 1.x line consumed by @modelcontextprotocol/sdk (^1.19.9). Unblock later: drop when MCP SDK bumps its floor or supports 2.x.
• axios also pinned at the root to >=1.15.0. The forest-cloud direct bump is enough on its own for the declared dependency, but a root resolution guarantees any hoisted/transitive axios (e.g. lerna#nx#axios) also lands on 1.15.x, closing the same advisory at the graph level. Unblock later: this is redundant once every transitive axios consumer advertises ^1.15.0 or higher; safe to remove at that point.

Risks

• @nestjs/core + siblings 10.4.20 → 11.1.19 (major). This is the only breaking bump in this PR. It touches two places: packages/_example (a private, non-published example app: NestFactory.create, FastifyAdapter, @Controller, @Module, @Get — all stable across v10 → v11) and packages/agent devDependencies (used only by two integration tests: test/framework-mounter.test.ts and test/agent-integration.test.ts, same API surface). The cascade from this bump pulled Fastify 4 → 5, Express 4 → 5, @fastify/cors 9 → 11, @fastify/formbody 7 → 8, find-my-way 8 → 9, pino → 10, multer 1 → 2, and some peer-adjacent plugins into their 5.x line. All 901 tests in @forestadmin/agent pass, including the NestJS integration tests, so the agent's own runtime surface is unaffected (it doesn't ship NestJS — only tests against it). Consumers are unaffected because @nestjs/* are dev-only for the published @forestadmin/agent package.
• axios 1.13.5 → 1.15.2. Patch line of 1.x; no changelog-listed breaking changes touching APIs used by forest-cloud (just axios.create, axios.get/post/patch/delete, response/interceptor plumbing). No behavior change beyond the patched SSRF + metadata-exfiltration vulns.
• follow-redirects 1.15.11 → 1.16.0, lodash 4.17.23 → 4.18.1, lodash-es 4.17.23 → 4.18.1, hono 4.12.9 → 4.12.14, @hono/node-server 1.19.12 → 1.19.14, langsmith 0.5.11 → 0.5.21. All minor/patch bumps on the same semver line. No behavior change beyond the patched vulns.
• No tests were modified. Pre-existing lint/prettier/integration-DB-test warnings on main are unaffected by this PR and equivalent between main and this branch (yarn test from root on baseline: 1222 integration-test failures; on this branch: 1215 — all pre-existing DB/network-dependent).

Manual testing

Covered by CI — no manual steps needed. Verified locally via yarn workspace @forestadmin/agent test (901/901 pass, covers the NestJS bump), yarn workspace @forestadmin/forest-cloud test (162/162, covers the axios bump), yarn workspace @forestadmin/ai-proxy test (274/274, covers langsmith/hono resolutions), yarn workspace @forestadmin/mcp-server test (540/540, covers hono/@hono/node-server resolutions), and yarn workspace @forestadmin/agent-testing test (33/33).

Validation

• yarn workspace @forestadmin/agent test: 901 passed.
• yarn workspace @forestadmin/forest-cloud test: 162 passed.
• yarn workspace @forestadmin/ai-proxy test: 274 passed (41 skipped, same as main).
• yarn workspace @forestadmin/mcp-server test: 540 passed.
• yarn workspace @forestadmin/agent-testing test: 33 passed (1 skipped, same as main).
• yarn build (all 20 projects): success.
• npx prettier --check on every file touched by this PR: clean. (Root-level npx prettier --check . shows 45 pre-existing style warnings, unchanged between main and this branch.)
• yarn lint: pre-existing errors in datasource-mongo/src/connection/create-connection.ts only, identical on main.
• yarn why after install confirms patched versions resolved everywhere: axios 1.15.2, follow-redirects 1.16.0, lodash 4.18.1, lodash-es 4.18.1, hono 4.12.14, @hono/node-server 1.19.14, langsmith 0.5.21, @nestjs/core 11.1.19.

https://claude.ai/code/session_01SV4RdAPN73FmbhMrqfsPHM

Note

Patch 16 Dependabot security alerts by upgrading NestJS, axios, and other dependencies

• Bumps @nestjs/* packages from ^10.4.16 to ^11.1.18 in the example app and agent packages
• Updates axios constraint from ^1.13.5 to ^1.15.0 in packages/forest-cloud
• Adds version floor constraints in the root package.json for follow-redirects, lodash, lodash-es, hono, @hono/node-server, and langsmith to satisfy Dependabot alerts
• Risk: The NestJS major version bump (v10 → v11) may introduce breaking changes in NestJS APIs used by the agent and example app

^{Macroscope summarized 4ec7b0b.}

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.