From 4421daa2de89ee63424b01180831d5f73b003efe Mon Sep 17 00:00:00 2001 From: Charly Gomez Date: Mon, 4 May 2026 12:03:00 +0200 Subject: [PATCH 1/2] fix(deps): bump @nestjs/core and @nestjs/platform-express to fix path-to-regexp ReDoS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps @nestjs/core and @nestjs/platform-express from 11.1.6 → 11.1.19 in integration tests, which updates path-to-regexp from 8.2.0 → 8.4.2. Also deduplicates remaining path-to-regexp 8.x entries to 8.4.2. Fixes Dependabot alerts 1276 (CVE-2026-4926) and 1277 (CVE-2026-4923). Co-Authored-By: Claude Opus 4.6 (1M context) --- yarn.lock | 86 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 67 insertions(+), 19 deletions(-) diff --git a/yarn.lock b/yarn.lock index 072b85ad3012..0eb8ea5c3e36 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5475,6 +5475,17 @@ dependencies: "@tybys/wasm-util" "^0.10.1" +"@nestjs/common@11.1.19": + version "11.1.19" + resolved "https://registry.yarnpkg.com/@nestjs/common/-/common-11.1.19.tgz#50ba93ae45ebaeda6163554b8e2ecec545a25c92" + integrity sha512-qeiTt2tv+e5QyDKqG8HlVZb2wx64FEaSGFJouqTSRs+kG44iTfl3xlz1XqVped+rihx4hmjWgL5gkhtdK3E6+Q== + dependencies: + uid "2.0.2" + file-type "21.3.4" + iterare "1.2.1" + load-esm "1.0.3" + tslib "2.8.1" + "@nestjs/common@^10.0.0": version "10.4.15" resolved "https://registry.yarnpkg.com/@nestjs/common/-/common-10.4.15.tgz#27c291466d9100eb86fdbe6f7bbb4d1a6ad55f70" @@ -5495,6 +5506,18 @@ load-esm "1.0.3" tslib "2.8.1" +"@nestjs/core@11.1.19": + version "11.1.19" + resolved "https://registry.yarnpkg.com/@nestjs/core/-/core-11.1.19.tgz#d724f1afc0caac29e005464f0f659425fc80235b" + integrity sha512-6nJkWa2efrYi+XlU686J9y5L7OvxpLVjT0T/sxRKE7Jvpffiihelup4WSvLvRhdHDjj/5SuoWEwqReXAaaeHmw== + dependencies: + uid "2.0.2" + "@nuxt/opencollective" "0.4.1" + fast-safe-stringify "2.1.1" + iterare "1.2.1" + path-to-regexp "8.4.2" + tslib "2.8.1" + "@nestjs/core@^10.0.0": version "10.4.15" resolved "https://registry.yarnpkg.com/@nestjs/core/-/core-10.4.15.tgz#1343a3395d5c54e9b792608cb75eef39053806d5" @@ -5508,26 +5531,37 @@ tslib "2.8.1" "@nestjs/core@^11": - version "11.1.6" - resolved "https://registry.yarnpkg.com/@nestjs/core/-/core-11.1.6.tgz#9d54882f121168b2fa2b07fa1db0858161a80626" - integrity sha512-siWX7UDgErisW18VTeJA+x+/tpNZrJewjTBsRPF3JVxuWRuAB1kRoiJcxHgln8Lb5UY9NdvklITR84DUEXD0Cg== + version "11.1.19" + resolved "https://registry.yarnpkg.com/@nestjs/core/-/core-11.1.19.tgz#d724f1afc0caac29e005464f0f659425fc80235b" + integrity sha512-6nJkWa2efrYi+XlU686J9y5L7OvxpLVjT0T/sxRKE7Jvpffiihelup4WSvLvRhdHDjj/5SuoWEwqReXAaaeHmw== dependencies: uid "2.0.2" "@nuxt/opencollective" "0.4.1" fast-safe-stringify "2.1.1" iterare "1.2.1" - path-to-regexp "8.2.0" + path-to-regexp "8.4.2" + tslib "2.8.1" + +"@nestjs/platform-express@11.1.19": + version "11.1.19" + resolved "https://registry.yarnpkg.com/@nestjs/platform-express/-/platform-express-11.1.19.tgz#e55f5078396b2285344f95f2b530b648e844cd4c" + integrity sha512-Vpdv8jyCQdThfoTx+UTn+DRYr6H6X02YUqcpZ3qP6G3ZUwtVp7eS+hoQPGd4UuCnlnFG8Wqr2J9bGEzQdi1rIg== + dependencies: + cors "2.8.6" + express "5.2.1" + multer "2.1.1" + path-to-regexp "8.4.2" tslib "2.8.1" "@nestjs/platform-express@^11": - version "11.1.13" - resolved "https://registry.yarnpkg.com/@nestjs/platform-express/-/platform-express-11.1.13.tgz#272e350cb3938ec0f383aa083c7f1d5d44fae2dc" - integrity sha512-LYmi43BrAs1n74kLCUfXcHag7s1CmGETcFbf9IVyA/KWXAuAH95G3wEaZZiyabOLFNwq4ifnRGnIwUwW7cz3+w== + version "11.1.19" + resolved "https://registry.yarnpkg.com/@nestjs/platform-express/-/platform-express-11.1.19.tgz#e55f5078396b2285344f95f2b530b648e844cd4c" + integrity sha512-Vpdv8jyCQdThfoTx+UTn+DRYr6H6X02YUqcpZ3qP6G3ZUwtVp7eS+hoQPGd4UuCnlnFG8Wqr2J9bGEzQdi1rIg== dependencies: cors "2.8.6" express "5.2.1" - multer "2.0.2" - path-to-regexp "8.3.0" + multer "2.1.1" + path-to-regexp "8.4.2" tslib "2.8.1" "@next/env@14.2.35": @@ -17453,6 +17487,16 @@ file-type@21.3.2: token-types "^6.1.1" uint8array-extras "^1.4.0" +file-type@21.3.4: + version "21.3.4" + resolved "https://registry.yarnpkg.com/file-type/-/file-type-21.3.4.tgz#e3f902faee8ec4aa152909fc902a7a77f9c06725" + integrity sha512-Ievi/yy8DS3ygGvT47PjSfdFoX+2isQueoYP1cntFW1JLYAuS4GD7NUPGg4zv2iZfV52uDyk5w5Z0TdpRS6Q1g== + dependencies: + "@tokenizer/inflate" "^0.4.1" + strtok3 "^10.3.4" + token-types "^6.1.1" + uint8array-extras "^1.4.0" + file-uri-to-path@1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz#553a7b8446ff6f684359c445f1e37a05dacc33dd" @@ -22594,6 +22638,16 @@ multer@2.0.2: type-is "^1.6.18" xtend "^4.0.2" +multer@2.1.1: + version "2.1.1" + resolved "https://registry.yarnpkg.com/multer/-/multer-2.1.1.tgz#122d819244fbdfee1efddd9147426691014385b7" + integrity sha512-mo+QTzKlx8R7E5ylSXxWzGoXoZbOsRMpyitcht8By2KHvMbf3tjwosZ/Mu/XYU6UuJ3VZnODIrak5ZrPiPyB6A== + dependencies: + append-field "^1.0.0" + busboy "^1.6.0" + concat-stream "^2.0.0" + type-is "^1.6.18" + multicast-dns@^7.2.5: version "7.2.5" resolved "https://registry.yarnpkg.com/multicast-dns/-/multicast-dns-7.2.5.tgz#77eb46057f4d7adbd16d9290fa7299f6fa64cced" @@ -24382,15 +24436,10 @@ path-to-regexp@6.3.0, path-to-regexp@^6.2.1: resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-6.3.0.tgz#2b6a26a337737a8e1416f9272ed0766b1c0389f4" integrity sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ== -path-to-regexp@8.2.0: - version "8.2.0" - resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-8.2.0.tgz#73990cc29e57a3ff2a0d914095156df5db79e8b4" - integrity sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ== - -path-to-regexp@8.3.0, path-to-regexp@^8.0.0: - version "8.3.0" - resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-8.3.0.tgz#aa818a6981f99321003a08987d3cec9c3474cd1f" - integrity sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA== +path-to-regexp@8.4.2, path-to-regexp@^8.0.0: + version "8.4.2" + resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-8.4.2.tgz#795c420c4f7ca45c5b887366f622ee0c9852cccd" + integrity sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA== path-to-regexp@^1.5.3, path-to-regexp@^1.7.0: version "1.9.0" @@ -28553,7 +28602,6 @@ stylus@0.59.0, stylus@^0.59.0: sucrase@^3.27.0, sucrase@^3.35.0, sucrase@getsentry/sucrase#es2020-polyfills: version "3.36.0" - uid fd682f6129e507c00bb4e6319cc5d6b767e36061 resolved "https://codeload.github.com/getsentry/sucrase/tar.gz/fd682f6129e507c00bb4e6319cc5d6b767e36061" dependencies: "@jridgewell/gen-mapping" "^0.3.2" From 8240ef97404d29ace5e8a50cf05f2335645e8558 Mon Sep 17 00:00:00 2001 From: Charly Gomez Date: Mon, 4 May 2026 14:19:03 +0200 Subject: [PATCH 2/2] chore(deps): dedupe yarn.lock Co-Authored-By: Claude Opus 4.6 (1M context) --- yarn.lock | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/yarn.lock b/yarn.lock index 02e0dbe48923..22d2bb15b58c 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5436,7 +5436,7 @@ dependencies: "@tybys/wasm-util" "^0.10.1" -"@nestjs/common@11.1.19": +"@nestjs/common@11.1.19", "@nestjs/common@^11": version "11.1.19" resolved "https://registry.yarnpkg.com/@nestjs/common/-/common-11.1.19.tgz#50ba93ae45ebaeda6163554b8e2ecec545a25c92" integrity sha512-qeiTt2tv+e5QyDKqG8HlVZb2wx64FEaSGFJouqTSRs+kG44iTfl3xlz1XqVped+rihx4hmjWgL5gkhtdK3E6+Q== @@ -5456,17 +5456,6 @@ iterare "1.2.1" tslib "2.8.1" -"@nestjs/common@^11": - version "11.1.17" - resolved "https://registry.npmjs.org/@nestjs/common/-/common-11.1.17.tgz" - integrity sha512-hLODw5Abp8OQgA+mUO4tHou4krKgDtUcM9j5Ihxncst9XeyxYBTt2bwZm4e4EQr5E352S4Fyy6V3iFx9ggxKAg== - dependencies: - uid "2.0.2" - file-type "21.3.2" - iterare "1.2.1" - load-esm "1.0.3" - tslib "2.8.1" - "@nestjs/core@11.1.19": version "11.1.19" resolved "https://registry.yarnpkg.com/@nestjs/core/-/core-11.1.19.tgz#d724f1afc0caac29e005464f0f659425fc80235b"