Skip to content

chore: npm audit cleanup#12

Merged
jim-toth merged 1 commit into
masterfrom
chore/npm-audit-cleanup
Jun 18, 2026
Merged

chore: npm audit cleanup#12
jim-toth merged 1 commit into
masterfrom
chore/npm-audit-cleanup

Conversation

@jim-toth

Copy link
Copy Markdown
Contributor

Resolve all critical/high advisories that have a clean forward fix, avoiding npm's --force suggestions (which were major downgrades: ethers 6->5, jest 29->25, nestjs 11->7).

  • npm audit fix for in-range transitive bumps
  • update @nestjs/* forward within v11
  • bump jest->30, ts-jest->29, @types/jest->30 (dev only)
  • overrides:
    • multer ^2.2.0 (root of the nestjs high cluster; platform-express pins the vulnerable 2.1.1)
    • ws via $ws (ethers internally pins vulnerable 8.17.1; direct ws range raised to ^8.21.0)
    • js-yaml ^4.2.0 (clears the jest moderate cluster; the only 3.x copy is under @istanbuljs/load-nyc-config, which only calls .load())

Remaining 10 are knowingly left (no clean forward fix): undici and the warp-arbundles/warp-isomorphic/aoconnect chain, consul->uuid (uuid 11 is ESM-only), geoip-lite->ip-address, secp256k1->elliptic.

Resolve all critical/high advisories that have a clean forward fix,
avoiding npm's --force suggestions (which were major downgrades:
ethers 6->5, jest 29->25, nestjs 11->7).

- npm audit fix for in-range transitive bumps
- update @nestjs/* forward within v11
- bump jest->30, ts-jest->29, @types/jest->30 (dev only)
- overrides:
  - multer ^2.2.0 (root of the nestjs high cluster; platform-express
    pins the vulnerable 2.1.1)
  - ws via $ws (ethers internally pins vulnerable 8.17.1; direct ws
    range raised to ^8.21.0)
  - js-yaml ^4.2.0 (clears the jest moderate cluster; the only 3.x copy
    is under @istanbuljs/load-nyc-config, which only calls .load())

Remaining 10 are knowingly left (no clean forward fix): undici and the
warp-arbundles/warp-isomorphic/aoconnect chain, consul->uuid (uuid 11 is
ESM-only), geoip-lite->ip-address, secp256k1->elliptic.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jim-toth jim-toth changed the title chore: npm audit cleanup (63 -> 10 vulnerabilities) chore: npm audit cleanup Jun 18, 2026
@jim-toth jim-toth requested a review from Copilot June 18, 2026 01:26

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates npm dependency graph to address npm audit findings with forward-only upgrades (no major downgrades), using overrides to patch vulnerable transitive pins while keeping the project on the current NestJS major.

Changes:

  • Add npm overrides for multer, ws (via $ws), and js-yaml to remediate transitive vulnerabilities.
  • Bump ws direct dependency to ^8.21.0.
  • Upgrade test tooling: jest to ^30.4.2, ts-jest to ^29.4.11, and @types/jest to ^30.0.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jim-toth jim-toth merged commit 7b0d4fb into master Jun 18, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants