FileTypeValidator can use the wrong version of file-type

[stevenhair]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Because the file-type package is ESM-only, FileTypeValidator loads it dynamically:

nest/packages/common/pipes/file/file-type.validator.ts

Lines 75 to 76 in 01f762c

	const { fileTypeFromBuffer } =
	await loadEsm<typeof import('file-type')>('file-type');

However, this will load the version of file-type in the root node_modules directory which may be different from the version required by @nestjs/common. Not only can this fail, but it will fail with a cryptic error message. For example:

Validation failed (current file type is application/octet-stream, expected type is application/octet-stream)

In my case, I am using jimp, which uses and older version of file-type. npm decides to hoist the older version to the root node_modules directory.

This should be able to be fixed by setting file-type as a peer dependency. This would cause npm to install the desired version of file-type in the root node_modules directory. Since modern versions of npm install peer dependencies automatically, it shouldn't cause any issues unless a project is directly using an older version of file-type.

Minimum reproduction code

https://github.com/stevenhair/super-duper-pancake

Steps to reproduce

1. npm ci
2. npm start
3. Upload a file with a command like curl http://localhost:3000 -F "file=@<filename here>"
4. Receive the following error: Validation failed (current file type is application/octet-stream, expected type is /.*/)

Expected behavior

The file validation should succeed and the route should return the success response. You can see the validation pass successfully if you uninstall the older version of file-type.

Package

• I don't know. Or some 3rd-party package
• @nestjs/common
• @nestjs/core
• @nestjs/microservices
• @nestjs/platform-express
• @nestjs/platform-fastify
• @nestjs/platform-socket.io
• @nestjs/platform-ws
• @nestjs/testing
• @nestjs/websockets
• Other (see below)

Other package

No response

NestJS version

11.x.x

Packages versions

[Nest CLI]
Nest CLI Version : 11.0.7

[Nest Platform Information
platform-express version : 11.1.3
schematics version       : 11.0.5
testing version          : 11.1.3
common version           : 11.1.3
core version             : 11.1.3
cli version              : 11.0.7

Node.js version

22.13.1

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

npm version 10.9.2

[Yasir-Rafique]

Thanks for raising this — fully agree with the root cause described here.

Since @nestjs/common dynamically imports file-type but doesn't declare it as a peerDependency, npm hoisting may cause an incompatible version of file-type to be loaded (especially when other packages like jimp depend on older versions). This leads to the file validator failing unexpectedly at runtime.

Declaring file-type as a peerDependency inside @nestjs/common (with a version compatible with its dynamic import usage) would allow npm to ensure the correct version is installed, avoiding version conflicts.

Happy to help prepare a PR to address this if useful.