build(deps): bump @nestjs/core from 8.0.6 to 11.1.18

[dependabot]

Bumps @nestjs/core from 8.0.6 to 11.1.18.

Release notes

Sourced from @​nestjs/core's releases.

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

... (truncated)

Commits

• 3c1cc5f chore(release): publish v11.1.18 release
• 0f962c7 fix(core): sanitize sse message
• 94aa424 Merge pull request #16679 from nestjs/renovate/path-to-regexp-8.x
• 368691c fix(core): prevent injector hang when design:paramtypes is missing
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• f7d4460 Merge pull request #16637 from JakobStaudinger/moduleref-create-transient-sco...
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 4677434 feat(core): export IEntryNestModule type
• 7493b94 fix(core): dependency injection edge case with moduleref.create
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade @nestjs/core to v11.1.18 to pick up Nest 11 fixes and updated routing utilities. This is a major bump; other Nest packages should be aligned to v11.

• Dependencies

  • path-to-regexp@8.4.2, tslib@2.8.1.
  • Replace @nuxtjs/opencollective with @nuxt/opencollective (uses consola@^3).
  • Drops node-fetch@^2.6.1 from the tree.

• Migration

  • Align @nestjs/common, @nestjs/platform-express, and other Nest packages to v11.
  • Rebuild and run tests to confirm DI and SSE changes don’t impact the app.

^{Written for commit 46d5b1f. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ever-traduora-docs	Error		Apr 6, 2026 10:34pm

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	conventional-changelog-cli@​5.0.0
	husky@​9.1.7
	@​commitlint/​travis-cli@​19.8.0
	@​commitlint/​cli@​19.8.0
	cz-conventional-changelog@​3.3.0
	@​commitlint/​config-lerna-scopes@​19.7.0
	cloc@​2.4.0-cloc
	codelyzer@​6.0.2
	concurrently@​9.1.2
	lerna@​8.2.1
	conventional-changelog@​6.0.0
	@​semantic-release/​changelog@​6.0.3
	@​semantic-release/​git@​10.0.1
	commitizen@​4.3.1
	@​semantic-release/​github@​11.0.1
	@​semantic-release/​npm@​12.0.1
	@​commitlint/​config-conventional@​19.8.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Prototype Pollution in npm minimist CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: ? → npm/minimist@1.2.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the API service’s NestJS runtime dependency.

Changes:

• Bumps @nestjs/core in api/package.json from ^10.4.6 to ^11.1.18
• Updates the workspace lockfile (yarn.lock) to reflect the new resolved dependency tree

Technical Notes: This is a major NestJS upgrade for @nestjs/core, which may require aligning other @nestjs/* packages to compatible major versions.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

api/package.json:38 bumps @nestjs/core to v11, but @nestjs/common and @nestjs/platform-express remain at v10.4.6; @nestjs/core@11 declares peer deps on @nestjs/common/@nestjs/platform-express ^11.0.0, so this mixed major-version set is likely to cause install-time peer-dependency errors/warnings or runtime incompatibilities.

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

api/package.json:38 / PR metadata: the PR title/description says this bumps @nestjs/core from 8.0.6, but the diff shows it was ^10.4.6 in this repo; that mismatch could make the upgrade scope confusing to reviewers/release notes.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="api/package.json">

<violation number="1" location="api/package.json:38">
P1: This upgrades only `@nestjs/core` to v11, but the rest of the Nest stack here still requires `@nestjs/core` v10. That leaves `api/package.json` with incompatible peer dependencies and an unsupported mixed-major Nest setup.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: This upgrades only @nestjs/core to v11, but the rest of the Nest stack here still requires @nestjs/core v10. That leaves api/package.json with incompatible peer dependencies and an unsupported mixed-major Nest setup.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At api/package.json, line 38:

<comment>This upgrades only `@nestjs/core` to v11, but the rest of the Nest stack here still requires `@nestjs/core` v10. That leaves `api/package.json` with incompatible peer dependencies and an unsupported mixed-major Nest setup.</comment>

<file context>
@@ -35,7 +35,7 @@
     "@nestjs/common": "^10.4.6",
     "@nestjs/config": "^3.3.0",
-    "@nestjs/core": "^10.4.6",
+    "@nestjs/core": "^11.1.18",
     "@nestjs/jwt": "^10.2.0",
     "@nestjs/passport": "^10.0.3",
</file context>

Suggested change

	"@nestjs/core": "^11.1.18",
	"@nestjs/core": "^10.4.6",

[greptile-apps]

Greptile Summary

This PR bumps only @nestjs/core to v11.1.18 while leaving all other @nestjs/* packages (common, platform-express, testing, cli, etc.) at v10, creating an unsupported peer dependency conflict — @nestjs/core v11 requires @nestjs/common ^11.0.0, which is incompatible with the existing ^10.4.6 constraint. All NestJS packages must be upgraded to v11 simultaneously.

Confidence Score: 4/5

Not safe to merge — @nestjs/core v11 conflicts with the remaining v10 NestJS packages, risking runtime failures

One clear P1 finding: incomplete NestJS major-version upgrade creates peer dependency mismatches that will cause runtime errors and type mismatches between shared internal interfaces

api/package.json — all @nestjs/* dependencies must be co-upgraded to v11

Important Files Changed

Filename	Overview
api/package.json	Only @nestjs/core bumped to v11 while all other @nestjs/* packages remain at v10, creating a peer dependency conflict
yarn.lock	Lock file updated consistently with package.json, but reflects the v10/v11 NestJS split

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["@nestjs/core v11.1.18"] -->|"peer requires"| B["@nestjs/common ^11.0.0"]
    C["@nestjs/common ^10.4.6 installed"] -->|"does NOT satisfy"| B
    B --> D["Peer dependency conflict"]
    A -->|"peer requires"| E["@nestjs/platform-express ^11.0.0"]
    F["@nestjs/platform-express ^10.4.6 installed"] -->|"does NOT satisfy"| E
    E --> D

Loading

_{Reviews (1): Last reviewed commit: "build(deps): bump @nestjs/core from 8.0...." | Re-trigger Greptile}

[greptile-apps]

Incomplete NestJS major-version upgrade

Only @nestjs/core is bumped to v11 while @nestjs/common, @nestjs/platform-express, @nestjs/testing, and @nestjs/cli all remain at v10. @nestjs/core v11 declares @nestjs/common: "^11.0.0" as a peer dependency, but package.json constrains it to ^10.4.6. These packages share internal interfaces (NestContainer, ModuleRef, token types) that changed between major versions — this mismatch will cause runtime errors. All @nestjs/* packages must be co-upgraded to v11.

Rule Used: When updating dependencies via automated PRs (like... (source)

Learnt From
ever-co/ever-traduora#478