chore(deps): Bump @nestjs packages to fix path-to-regexp ReDoS by chargome · Pull Request #20642 · getsentry/sentry-javascript

chargome · 2026-05-04T11:11:54Z

Summary

Bumps @nestjs/core and @nestjs/platform-express from 11.1.6 → 11.1.19 in integration tests
Updates path-to-regexp from 8.2.0/8.3.0 → 8.4.2 (deduplicates all 8.x entries)
Fixes Dependabot alert 1276 (CVE-2026-4926, DoS via sequential optional groups)
Fixes Dependabot alert 1277 (CVE-2026-4923, ReDoS via multiple wildcards)

🤖 Generated with Claude Code

…-to-regexp ReDoS Bumps @nestjs/core and @nestjs/platform-express from 11.1.6 → 11.1.19 in integration tests, which updates path-to-regexp from 8.2.0 → 8.4.2. Also deduplicates remaining path-to-regexp 8.x entries to 8.4.2. Fixes Dependabot alerts 1276 (CVE-2026-4926) and 1277 (CVE-2026-4923). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

github-actions · 2026-05-04T11:25:36Z

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	26.31 kB	-	-
@sentry/browser - with treeshaking flags	24.8 kB	-	-
@sentry/browser (incl. Tracing)	44.2 kB	-	-
@sentry/browser (incl. Tracing + Span Streaming)	46.42 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	49.16 kB	-	-
@sentry/browser (incl. Tracing, Replay)	83.58 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	73.04 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	88.26 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	100.87 kB	-	-
@sentry/browser (incl. Feedback)	43.47 kB	-	-
@sentry/browser (incl. sendFeedback)	31.12 kB	-	-
@sentry/browser (incl. FeedbackAsync)	36.21 kB	-	-
@sentry/browser (incl. Metrics)	27.62 kB	-	-
@sentry/browser (incl. Logs)	27.75 kB	-	-
@sentry/browser (incl. Metrics & Logs)	28.45 kB	-	-
@sentry/react	28.05 kB	-	-
@sentry/react (incl. Tracing)	46.42 kB	-	-
@sentry/vue	31.18 kB	-	-
@sentry/vue (incl. Tracing)	46.04 kB	-	-
@sentry/svelte	26.34 kB	-	-
CDN Bundle	28.91 kB	-	-
CDN Bundle (incl. Tracing)	46.95 kB	-	-
CDN Bundle (incl. Logs, Metrics)	30.34 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	48.06 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	69.41 kB	-	-
CDN Bundle (incl. Tracing, Replay)	84.11 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	85.16 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	89.91 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	91.01 kB	-	-
CDN Bundle - uncompressed	84.72 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	140.31 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	88.92 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	143.77 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	212.86 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	258.11 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	261.56 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	271.81 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	275.25 kB	-	-
@sentry/nextjs (client)	48.92 kB	-	-
@sentry/sveltekit (client)	44.67 kB	-	-
@sentry/node-core	59.13 kB	+0.02%	+10 B 🔺
@sentry/node	170.42 kB	+0.01%	+11 B 🔺
@sentry/node - without tracing	97 kB	+0.01%	+9 B 🔺
@sentry/aws-serverless	113.85 kB	+0.03%	+32 B 🔺
@sentry/cloudflare (withSentry) - minified	165.2 kB	-	-
@sentry/cloudflare (withSentry)	417.71 kB	-	-

View base workflow run

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chargome marked this pull request as draft May 4, 2026 11:12

chargome self-assigned this May 4, 2026

chargome and others added 2 commits May 4, 2026 14:13

Merge branch 'develop' into fix/dependabot-alert-1276

730d198

chore(deps): dedupe yarn.lock

8240ef9

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chargome requested a review from nicohrubec May 4, 2026 12:48

chargome marked this pull request as ready for review May 4, 2026 12:48

nicohrubec approved these changes May 4, 2026

View reviewed changes

chargome changed the title ~~fix(deps): Bump @nestjs packages to fix path-to-regexp ReDoS~~ chore(deps): Bump @nestjs packages to fix path-to-regexp ReDoS May 4, 2026

chargome merged commit 5637aa0 into develop May 4, 2026
255 checks passed

chargome deleted the fix/dependabot-alert-1276 branch May 4, 2026 13:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): Bump @nestjs packages to fix path-to-regexp ReDoS#20642

chore(deps): Bump @nestjs packages to fix path-to-regexp ReDoS#20642
chargome merged 3 commits intodevelopfrom
fix/dependabot-alert-1276

chargome commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

chargome commented May 4, 2026

Summary

Uh oh!

github-actions Bot commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

github-actions Bot commented May 4, 2026 •

edited

Loading