Skip to content

chore(deps): bump the npm-dependencies group across 1 directory with 42 updates#623

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dependencies-7b1dba4aff
Open

chore(deps): bump the npm-dependencies group across 1 directory with 42 updates#623
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dependencies-7b1dba4aff

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-dependencies group with 42 updates in the / directory:

Package From To
@clickhouse/client 1.18.2 1.22.0
@filoz/synapse-core 0.3.3 0.7.0
@ipld/car 5.4.2 5.4.6
@ipld/dag-pb 4.1.5 4.1.7
@nestjs/common 11.1.13 11.1.27
@nestjs/config 4.0.3 4.0.4
@nestjs/core 11.1.13 11.1.27
@nestjs/platform-express 11.1.13 11.1.27
@nestjs/schedule 6.1.1 6.1.3
@nestjs/swagger 11.2.6 11.4.4
@nestjs/typeorm 11.0.0 11.0.3
@willsoto/nestjs-prometheus 6.0.2 6.1.0
axios 1.13.5 1.18.1
class-validator 0.14.3 0.15.1
filecoin-pin 1.0.1 1.1.1
helmet 8.1.0 8.2.0
joi 18.0.2 18.2.3
pg 8.18.0 8.22.0
pg-boss 12.11.1 12.23.0
viem 2.48.11 2.53.1
@nestjs/cli 11.0.16 11.0.23
@nestjs/schematics 11.0.9 11.1.0
@nestjs/testing 11.1.13 11.1.27
ts-loader 9.5.4 9.6.2
assemblyscript 0.19.23 0.28.19
@radix-ui/react-slot 1.2.4 1.3.0
@radix-ui/react-switch 1.2.6 1.3.1
@tailwindcss/vite 4.2.4 4.3.1
date-fns 4.1.0 4.4.0
react 19.2.5 19.2.7
@types/react 19.2.14 19.2.17
react-dom 19.2.5 19.2.7
react-router-dom 7.13.0 7.18.0
recharts 3.7.0 3.9.0
swr 2.4.1 2.4.2
tailwind-merge 3.5.0 3.6.0
tailwindcss 4.2.4 4.3.1
msw 2.12.10 2.14.6
@biomejs/biome 2.3.14 2.5.1
@swc/core 1.15.11 1.15.43
@vitest/coverage-v8 4.0.18 4.1.9
vitest 4.0.18 4.1.9

Updates @clickhouse/client from 1.18.2 to 1.22.0

Release notes

Sourced from @​clickhouse/client's releases.

1.22.0

New features

  • (Node.js) The compression.request / compression.response client options now accept an explicit codec via an object, in addition to the existing boolean: true keeps gzip (backwards compatible), and { codec: "zstd" } selects zstd. The object form is intentionally extensible for future codecs and codec-specific options. zstd typically yields a similar-or-better ratio than gzip at noticeably lower CPU cost (gzip/DEFLATE is comparatively CPU-heavy and decompressed single-threaded by the ClickHouse server), and it uses the built-in zlib zstd support, so it requires Node.js >= 22.15.0 (@clickhouse/client throws a clear error at client creation otherwise). Response decompression is driven by the server's actual Content-Encoding, so it degrades gracefully. The request object form also accepts an optional level ({ codec, level }) to set the codec-specific compression level (zlib level for gzip, zstd compression level for zstd); the response compression level is controlled by the server. Supported only by @clickhouse/client (Node.js); @clickhouse/client-web rejects the zstd codec at client creation.

  • (Node.js) Brotli ({ codec: "br" }) is now supported for compression.request / compression.response, alongside gzip and zstd. Unlike zstd, Brotli is available on every supported Node.js version (no minimum-version requirement). The compression.request option is a per-codec discriminated union, so each codec exposes its own tuning option: a level for gzip/zstd, a quality for Brotli ({ codec: "br", quality }). When omitted, Brotli defaults to quality 4 for request bodies, since zlib's brotli default of 11 (max) is far too slow for a streaming insert path. Response decompression follows the server's Content-Encoding. Supported only by @clickhouse/client (Node.js).

Internal changes (@clickhouse/client-common)

These only affect code that imports the low-level connection primitives from the deprecated @clickhouse/client-common package directly (e.g. a custom Connection implementation). The createClient compression option is unchanged and fully backwards compatible — if you only use @clickhouse/client or @clickhouse/client-web, you are not affected.

To carry the codec (and its optional compression level) instead of a bare on/off flag, the internal compression representation changed shape:

  • CompressionSettings.compress_request / decompress_response are no longer boolean. They are now a normalized codec object or undefined (disabled): { codec: "gzip" | "zstd"; level?: number } | { codec: "br"; quality?: number } for the request, { codec: "gzip" | "zstd" | "br" } for the response (response compression options are chosen by the server). getConnectionParams normalizes the public request option into this form (true{ codec: "gzip" }).
  • withCompressionHeaders now takes request_compression_codec / response_compression_codec (a CompressionMethod | undefined) instead of the boolean enable_request_compression / enable_response_compression; the codec value is also the Content-Encoding / Accept-Encoding it emits.
  • withHttpSettings now takes the response codec object ({ codec } | undefined) instead of a boolean.
  • New exported types: CompressionMethod, RequestCompression, ResponseCompression.

Why: a single boolean could not express which codec to use or its level, and a separate level field on CompressionSettings would have mixed a codec-specific option into the shared type. Discriminating by codec keeps each codec's options on the codec it belongs to.

Documentation

  • Added two tracer adapter recipes to docs/howto/tracing.md and examples/node/coding/otel_tracing.ts, demonstrating how common OpenTelemetry auto-instrumentation options compose as thin userland wrappers around the tracer API instead of being baked into the client: requireParentSpan (skip ClickHouse spans when there is no active parent span — e.g. background health checks) and suppressing the duplicate nested HTTP spans emitted by @opentelemetry/instrumentation-http (via suppressTracing from @opentelemetry/core).

#864: ClickHouse/clickhouse-js#864

1.21.0

New features

  • The tracer API (unreleased, introduced in #776) now follows the OpenTelemetry database semantic conventions and matches the attribute vocabulary of the Rust client (clickhouse-rs); see docs/howto/tracing.md for the documentation. In particular (#828):

    • Spans now carry db.system.name (instead of db.system), server.address + server.port (instead of a combined host:port), clickhouse.request.query_id / clickhouse.request.session_id (instead of clickhouse.query_id / clickhouse.session_id), clickhouse.response.format on query and clickhouse.request.format on insert (instead of clickhouse.format), and db.operation.name + db.collection.name on insert (instead of clickhouse.table).
    • The span status is left unset on success (per the OTEL spec recommendation for client spans, previously set to OK); on failure, the span gets the error.type attribute (the error class name) and, for server-side errors, clickhouse.error.code (the numeric ClickHouse error code).
    • Spans record response-side attributes: db.response.status_code (HTTP status) and, when the X-ClickHouse-Summary header is available, clickhouse.summary.* counters (read_rows, written_rows, etc.).
    • query() now emits two spans: clickhouse.query covers the HTTP request lifetime and ends as soon as the response headers are received; a child clickhouse.query.stream span is handed to the ResultSet and tracks the stream consumption, ending when the response is fully read, closed, or fails - with the final clickhouse.response.decoded_bytes and (for row-streaming) db.response.returned_rows metrics. This separation makes it easy to distinguish the original request duration from a stream that may never end (e.g. tailing a live table).
    • Fixed a span leak in the Web ResultSet.stream() path: if the underlying fetch response stream was aborted (e.g. due to a network error), the clickhouse.query.stream span was never ended. The TransformStream now handles both source-stream aborts and consumer-side cancellations via a cancel callback.
    • The insert span records clickhouse.request.sent_rows for array-based inserts.
  • Added a use_multipart_params_auto client option (default: false). When enabled, query() automatically sends query_params as multipart/form-data body parts (the same mechanism as use_multipart_params) once their URL-encoded length exceeds 4096 characters, avoiding HTTP 414/400 errors from HTTP intermediaries (nginx, AWS ALB, CloudFront) caused by over-long URLs - for example, a large IN list or a high-dimensional vector embedding. Smaller parameter payloads remain in the URL query string, so existing behavior is unchanged unless the threshold is crossed. use_multipart_params: true still forces multipart for all queries regardless of size. This does not change the server's per-value size limit, which is governed by http_max_field_value_size. Supported on both @clickhouse/client and @clickhouse/client-web, and overridable per request via use_multipart_params_auto on query(). Ported from clickhouse-connect#789. (#827)

const client = createClient({ use_multipart_params_auto: true });
await client.query({
query: "SELECT * FROM events WHERE id IN {ids:Array(UInt64)}",
// Sent in the URL when small, auto-promoted to the multipart body when large
query_params: { ids: veryLargeArrayOfIds },
});

... (truncated)

Changelog

Sourced from @​clickhouse/client's changelog.

1.22.0

New features

  • (Node.js) The compression.request / compression.response client options now accept an explicit codec via an object, in addition to the existing boolean: true keeps gzip (backwards compatible), and { codec: "zstd" } selects zstd. The object form is intentionally extensible for future codecs and codec-specific options. zstd typically yields a similar-or-better ratio than gzip at noticeably lower CPU cost (gzip/DEFLATE is comparatively CPU-heavy and decompressed single-threaded by the ClickHouse server), and it uses the built-in zlib zstd support, so it requires Node.js >= 22.15.0 (@clickhouse/client throws a clear error at client creation otherwise). Response decompression is driven by the server's actual Content-Encoding, so it degrades gracefully. The request object form also accepts an optional level ({ codec, level }) to set the codec-specific compression level (zlib level for gzip, zstd compression level for zstd); the response compression level is controlled by the server. Supported only by @clickhouse/client (Node.js); @clickhouse/client-web rejects the zstd codec at client creation.

  • (Node.js) Brotli ({ codec: "br" }) is now supported for compression.request / compression.response, alongside gzip and zstd. Unlike zstd, Brotli is available on every supported Node.js version (no minimum-version requirement). The compression.request option is a per-codec discriminated union, so each codec exposes its own tuning option: a level for gzip/zstd, a quality for Brotli ({ codec: "br", quality }). When omitted, Brotli defaults to quality 4 for request bodies, since zlib's brotli default of 11 (max) is far too slow for a streaming insert path. Response decompression follows the server's Content-Encoding. Supported only by @clickhouse/client (Node.js).

Internal changes (@clickhouse/client-common)

These only affect code that imports the low-level connection primitives from the deprecated @clickhouse/client-common package directly (e.g. a custom Connection implementation). The createClient compression option is unchanged and fully backwards compatible — if you only use @clickhouse/client or @clickhouse/client-web, you are not affected.

To carry the codec (and its optional compression level) instead of a bare on/off flag, the internal compression representation changed shape:

  • CompressionSettings.compress_request / decompress_response are no longer boolean. They are now a normalized codec object or undefined (disabled): { codec: "gzip" | "zstd"; level?: number } | { codec: "br"; quality?: number } for the request, { codec: "gzip" | "zstd" | "br" } for the response (response compression options are chosen by the server). getConnectionParams normalizes the public request option into this form (true{ codec: "gzip" }).
  • withCompressionHeaders now takes request_compression_codec / response_compression_codec (a CompressionMethod | undefined) instead of the boolean enable_request_compression / enable_response_compression; the codec value is also the Content-Encoding / Accept-Encoding it emits.
  • withHttpSettings now takes the response codec object ({ codec } | undefined) instead of a boolean.
  • New exported types: CompressionMethod, RequestCompression, ResponseCompression.

Why: a single boolean could not express which codec to use or its level, and a separate level field on CompressionSettings would have mixed a codec-specific option into the shared type. Discriminating by codec keeps each codec's options on the codec it belongs to.

Documentation

  • Added two tracer adapter recipes to docs/howto/tracing.md and examples/node/coding/otel_tracing.ts, demonstrating how common OpenTelemetry auto-instrumentation options compose as thin userland wrappers around the tracer API instead of being baked into the client: requireParentSpan (skip ClickHouse spans when there is no active parent span — e.g. background health checks) and suppressing the duplicate nested HTTP spans emitted by @opentelemetry/instrumentation-http (via suppressTracing from @opentelemetry/core).

1.21.0

New features

  • The tracer API (unreleased, introduced in #776) now follows the OpenTelemetry database semantic conventions and matches the attribute vocabulary of the Rust client (clickhouse-rs); see docs/howto/tracing.md for the documentation. In particular (#828):

    • Spans now carry db.system.name (instead of db.system), server.address + server.port (instead of a combined host:port), clickhouse.request.query_id / clickhouse.request.session_id (instead of clickhouse.query_id / clickhouse.session_id), clickhouse.response.format on query and clickhouse.request.format on insert (instead of clickhouse.format), and db.operation.name + db.collection.name on insert (instead of clickhouse.table).
    • The span status is left unset on success (per the OTEL spec recommendation for client spans, previously set to OK); on failure, the span gets the error.type attribute (the error class name) and, for server-side errors, clickhouse.error.code (the numeric ClickHouse error code).
    • Spans record response-side attributes: db.response.status_code (HTTP status) and, when the X-ClickHouse-Summary header is available, clickhouse.summary.* counters (read_rows, written_rows, etc.).
    • query() now emits two spans: clickhouse.query covers the HTTP request lifetime and ends as soon as the response headers are received; a child clickhouse.query.stream span is handed to the ResultSet and tracks the stream consumption, ending when the response is fully read, closed, or fails - with the final clickhouse.response.decoded_bytes and (for row-streaming) db.response.returned_rows metrics. This separation makes it easy to distinguish the original request duration from a stream that may never end (e.g. tailing a live table).
    • Fixed a span leak in the Web ResultSet.stream() path: if the underlying fetch response stream was aborted (e.g. due to a network error), the clickhouse.query.stream span was never ended. The TransformStream now handles both source-stream aborts and consumer-side cancellations via a cancel callback.
    • The insert span records clickhouse.request.sent_rows for array-based inserts.
  • Added a use_multipart_params_auto client option (default: false). When enabled, query() automatically sends query_params as multipart/form-data body parts (the same mechanism as use_multipart_params) once their URL-encoded length exceeds 4096 characters, avoiding HTTP 414/400 errors from HTTP intermediaries (nginx, AWS ALB, CloudFront) caused by over-long URLs - for example, a large IN list or a high-dimensional vector embedding. Smaller parameter payloads remain in the URL query string, so existing behavior is unchanged unless the threshold is crossed. use_multipart_params: true still forces multipart for all queries regardless of size. This does not change the server's per-value size limit, which is governed by http_max_field_value_size. Supported on both @clickhouse/client and @clickhouse/client-web, and overridable per request via use_multipart_params_auto on query(). Ported from clickhouse-connect#789. (#827)

const client = createClient({ use_multipart_params_auto: true });
await client.query({
query: "SELECT * FROM events WHERE id IN {ids:Array(UInt64)}",
// Sent in the URL when small, auto-promoted to the multipart body when large
query_params: { ids: veryLargeArrayOfIds },
});

  • Added a use_multipart_params client option (default: false). When enabled, query() sends query_params as multipart/form-data body parts (with the SQL moved into a query part) instead of URL query-string entries, avoiding HTTP 400 errors caused by over-long URLs when parameters contain large arrays (25K+ values). All other URL search params (database, query_id, settings, session_id, role) remain in the URL. Supported on both @clickhouse/client and @clickhouse/client-web, and overridable per request via use_multipart_params on query(). (#825)

... (truncated)

Commits
  • bb7d9d2 Merge pull request #862 from ClickHouse/main
  • 4a86c42 Bump undici from 8.4.1 to 8.5.0 (#858)
  • 56b48ee Bump the dev-dependencies group across 1 directory with 12 updates (#854)
  • 6a5d177 Investigating Codecov coverage upload problems (#860)
  • e000ada Add tracer adapter recipes (requireParentSpan, suppress nested HTTP spans) (#...
  • 45fdbee Follow-up to #849: simplify the unknown-encoding decompression test (#859)
  • 09be3c5 Brotli (br) compression codec and per-codec request compression options (#849)
  • e6c3113 Improving codecov upload process and reporting (#857)
  • dc4c322 Add OSS-dependent integration tests to guard breaking changes (#856)
  • a385828 Make Dependabot CI green by default by skipping secret-dependent jobs (#855)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​clickhouse/client since your current version.


Updates @filoz/synapse-core from 0.3.3 to 0.7.0

Release notes

Sourced from @​filoz/synapse-core's releases.

synapse-core: v0.7.0

0.7.0 (2026-06-11)

⚠ BREAKING CHANGES

  • costs: per-operation pricing price list (#823)
  • provider-relayed service termination as the default path (#827)

Features

  • costs: per-operation pricing price list (#823) (66af832)
  • provider-relayed service termination as the default path (#827) (06152d0)

Bug Fixes

  • synapse-core: update filecoin-services ref to v1.3.0 (#831) (b500c44)
  • update termination service error handling and response schemas (#842) (71b300f)

Chores

  • synapse-core: update filecoin-services ref to final v1.3.0 deployments (#844) (94e2a0d)
  • update to pnpm 11 and dependencies across multiple packages (95a620c)

synapse-core: v0.6.1

0.6.1 (2026-06-09)

Bug Fixes

  • synapse-core: keep findPiece polling through transient 404s (#828) (fadc836)

synapse-core: v0.6.0

0.6.0 (2026-06-04)

⚠ BREAKING CHANGES

  • typehash: DeleteDataSetPermission is replaced by TerminateServicePermission. Existing session keys must be re-minted; passing a stale session key to Synapse.create() fails because the default permission set no longer matches.
  • piece: vendor PieceCID, redesign API (#795)

Features

  • cap addPieces batches at 40, tighten piece metadata limits (#814) (06b4f65)
  • piece: vendor PieceCID, redesign API (#795) (ec0c254)

Bug Fixes

... (truncated)

Changelog

Sourced from @​filoz/synapse-core's changelog.

0.7.0 (2025-06-10)

Features

  • storage: implement smart provider selection to prefer existing relationships (8433899)

0.6.1 (2025-06-10)

Trivial Changes

  • deps-dev: bump @​types/node from 22.15.31 to 24.0.0 (fecfaa5)

0.6.0 (2025-06-10)

Features

  • utils: add Pandora storage provider admin portal [skip ci] (#79) (e6a79bc)

Bug Fixes

  • remove 60s delay after createproofset and associated testing hack (353551a)

Trivial Changes

  • docs: move ADMIN_SAFE_INTEGRATION_PLAN.md to utils (4167234)

0.5.0 (2025-06-09)

Features

  • add minimum upload size validation and improve storage reliability (4270590)
  • storage: add creation callbacks and remove out-of-scope methods (2de7f91)
  • storage: implement download method and simplify DownloadOptions (05c1b79)
  • storage: implement preflight checks and refactor allowance API (2746cba)
  • storage: implement provider selection and proof set management (9faf04f)
  • storage: implement upload method with UploadCallbacks (e289ae9)

Bug Fixes

  • add hack to skip 60s delay in upload during tests (f4ade39)
  • docs: update README examples for latest signatures (b574a90)
  • pdp: restore correct upload protocol with check object (18618b2)
  • semantic-release bug (bf340d8)

Trivial Changes

  • remove example-usage.js in favour of new examples in utils/ (72dbe23)
  • remove unused getters (1bed0db)
  • use ethers.js utilities instead of hardcoded decimals (8895422)

... (truncated)

Commits
  • e5789b9 chore(release): 0.7.0 [skip ci]
  • 8433899 feat(storage): implement smart provider selection to prefer existing relation...
  • f2023b1 chore(release): 0.6.1 [skip ci]
  • fecfaa5 chore(deps-dev): bump @​types/node from 22.15.31 to 24.0.0
  • d6c2fd9 doc: minor tool updates in utils
  • b0ffabe chore(release): 0.6.0 [skip ci]
  • 4167234 chore(docs): move ADMIN_SAFE_INTEGRATION_PLAN.md to utils
  • 353551a fix: remove 60s delay after createproofset and associated testing hack
  • e6a79bc feat(utils): add Pandora storage provider admin portal [skip ci] (#79)
  • 2482e2c chore(release): 0.5.0 [skip ci]
  • Additional commits viewable in compare view

Updates @ipld/car from 5.4.2 to 5.4.6

Release notes

Sourced from @​ipld/car's releases.

v5.4.6

5.4.6 (2026-05-12)

Trivial Changes

  • deps: bump @​ipld/dag-json from 10.2.9 to 11.0.0 in /examples (#184) (eefd849)

Dependencies

  • bump @​ipld/dag-cbor from 9.2.7 to 10.0.1 (#182) (a2ab328)

v5.4.5

5.4.5 (2026-05-11)

Trivial Changes

  • deps: bump multiformats from 13.4.2 to 14.0.0 in /examples (#181) (d3255f1)

Dependencies

  • bump multiformats from 13.4.2 to 14.0.0 (#180) (e1d683e)

v5.4.4

5.4.4 (2026-05-07)

Dependencies

  • dev: bump aegir from 47.2.0 to 48.0.1 (#179) (a3dca47)

v5.4.3

5.4.3 (2026-04-02)

Trivial Changes

  • deps: bump multiformats from 12.1.3 to 13.4.2 in /examples (#176) (2c87540)

Dependencies

Changelog

Sourced from @​ipld/car's changelog.

5.4.6 (2026-05-12)

Trivial Changes

  • deps: bump @​ipld/dag-json from 10.2.9 to 11.0.0 in /examples (#184) (eefd849)

Dependencies

  • bump @​ipld/dag-cbor from 9.2.7 to 10.0.1 (#182) (a2ab328)

5.4.5 (2026-05-11)

Trivial Changes

  • deps: bump multiformats from 13.4.2 to 14.0.0 in /examples (#181) (d3255f1)

Dependencies

  • bump multiformats from 13.4.2 to 14.0.0 (#180) (e1d683e)

5.4.4 (2026-05-07)

Dependencies

  • dev: bump aegir from 47.2.0 to 48.0.1 (#179) (a3dca47)

5.4.3 (2026-04-02)

Trivial Changes

  • deps: bump multiformats from 12.1.3 to 13.4.2 in /examples (#176) (2c87540)

Dependencies

Commits
  • 547e433 chore(release): 5.4.6 [skip ci]
  • a2ab328 deps: bump @​ipld/dag-cbor from 9.2.7 to 10.0.1 (#182)
  • eefd849 chore(deps): bump @​ipld/dag-json from 10.2.9 to 11.0.0 in /examples (#184)
  • 55f9112 chore(release): 5.4.5 [skip ci]
  • e1d683e deps: bump multiformats from 13.4.2 to 14.0.0 (#180)
  • d3255f1 chore(deps): bump multiformats from 13.4.2 to 14.0.0 in /examples (#181)
  • ed69005 chore(release): 5.4.4 [skip ci]
  • a3dca47 deps(dev): bump aegir from 47.2.0 to 48.0.1 (#179)
  • 13d6e56 chore(release): 5.4.3 [skip ci]
  • 40ddb9c deps: bump cborg from 4.5.8 to 5.0.0 (#178)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ipld/car since your current version.


Updates @ipld/dag-pb from 4.1.5 to 4.1.7

Release notes

Sourced from @​ipld/dag-pb's releases.

v4.1.7

4.1.7 (2026-05-11)

Dependencies

  • bump multiformats from 13.4.2 to 14.0.0 (#109) (81887a9)

v4.1.6

4.1.6 (2026-05-07)

Dependencies

  • dev: bump aegir from 47.2.0 to 48.0.1 (#108) (d573d19)
Changelog

Sourced from @​ipld/dag-pb's changelog.

4.1.7 (2026-05-11)

Dependencies

  • bump multiformats from 13.4.2 to 14.0.0 (#109) (81887a9)

4.1.6 (2026-05-07)

Dependencies

  • dev: bump aegir from 47.2.0 to 48.0.1 (#108) (d573d19)
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ipld/dag-pb since your current version.


Updates @nestjs/common from 11.1.13 to 11.1.27

Release notes

Sourced from @​nestjs/common's releases.

v11.1.27

What's Changed

Full Changelog: nestjs/nest@v11.1.26...v11.1.27

v11.1.26

What's Changed

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

New Contributors

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core

... (truncated)

Commits
  • 660a124 chore(release): publish v11.1.27 release
  • aa5c4f1 chore: update readme and package.json
  • 9ff83d5 chore(release): publish v11.1.26 release
  • 02f8041 chore(release): publish v11.1.25 release
  • 1634915 test(common): Add unit tests for cli-colors utility
  • 380bf5c Merge pull request #17058 from Se3do/test/extend-metadata
  • af4542b test(common): Add unit tests for assignCustomParameterMetadata
  • b67aea1 test(common): Add unit tests for extendArrayMetadata
  • e1e4014 test(common): Tighten throw assertions in validateModuleKeys spec
  • 6b97771 test(common): Add unit tests for validateModuleKeys
  • Additional commits viewable in compare view

Updates @nestjs/config from 4.0.3 to 4.0.4

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.4

  • fix(deps): update dependency dotenv to v17.4.1 (6bc5737)
  • fix(deps): update dependency lodash to v4.18.1 [security] (f31ee98)
Commits
  • 3b5d592 chore(): release v4.0.4
  • 4fbcb03 Merge pull request #2263 from nestjs/renovate/dotenv-17.x
  • 33dae89 Merge pull request #2269 from nestjs/renovate/cimg-node-24.x
  • 0a727c3 Merge pull request #2313 from nestjs/renovate/npm-lodash-vulnerability
  • 6bc5737 fix(deps): update dependency dotenv to v17.4.1
  • f31ee98 fix(deps): update dependency lodash to v4.18.1 [security]
  • 059314c chore(deps): update dependency typescript-eslint to v8.58.1 (#2315)
  • 0f81e2d chore(deps): update dependency eslint to v10.2.0 (#2314)
  • e673ab2 chore(deps): update dependency @​types/node to v24.12.2 (#2311)
  • b1ede30 chore(deps): update nest monorepo to v11.1.18 (#2312)
  • Additional commits viewable in compare view

Updates @nestjs/core from 11.1.13 to 11.1.27

Release notes

Sourced from @​nestjs/core's releases.

v11.1.27

What's Changed

Full Changelog: nestjs/nest@v11.1.26...v11.1.27

v11.1.26

What's Changed

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

New Contributors

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core

... (truncated)

Commits
  • 660a124 chore(release): publish v11.1.27 release
  • 5c5e9ba fix(core): sse async handlers teardown issue #17128
  • aa5c4f1 chore: update readme and package.json
  • 9ff83d5 chore(release): publish v11.1.26 release
  • 0f398fd test: fix broken unit test
  • d152eec fix(core): post sse endpoint empty response #17098
  • 02f8041 chore(release): publish v11.1.25 release
  • e2ad4e2 Update package.json
  • 396cf81 refactor(core): avoid duplicating sse intercept call
  • 55cd699 fix(core): preserve deferred SSE handlers
  • Additional commits ...

    Description has been truncated

…42 updates

Bumps the npm-dependencies group with 42 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@clickhouse/client](https://github.com/ClickHouse/clickhouse-js) | `1.18.2` | `1.22.0` |
| [@filoz/synapse-core](https://github.com/FilOzone/synapse-sdk) | `0.3.3` | `0.7.0` |
| [@ipld/car](https://github.com/ipld/js-car) | `5.4.2` | `5.4.6` |
| [@ipld/dag-pb](https://github.com/ipld/js-dag-pb) | `4.1.5` | `4.1.7` |
| [@nestjs/common](https://github.com/nestjs/nest/tree/HEAD/packages/common) | `11.1.13` | `11.1.27` |
| [@nestjs/config](https://github.com/nestjs/config) | `4.0.3` | `4.0.4` |
| [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core) | `11.1.13` | `11.1.27` |
| [@nestjs/platform-express](https://github.com/nestjs/nest/tree/HEAD/packages/platform-express) | `11.1.13` | `11.1.27` |
| [@nestjs/schedule](https://github.com/nestjs/schedule) | `6.1.1` | `6.1.3` |
| [@nestjs/swagger](https://github.com/nestjs/swagger) | `11.2.6` | `11.4.4` |
| [@nestjs/typeorm](https://github.com/nestjs/typeorm) | `11.0.0` | `11.0.3` |
| [@willsoto/nestjs-prometheus](https://github.com/willsoto/nestjs-prometheus) | `6.0.2` | `6.1.0` |
| [axios](https://github.com/axios/axios) | `1.13.5` | `1.18.1` |
| [class-validator](https://github.com/typestack/class-validator) | `0.14.3` | `0.15.1` |
| [filecoin-pin](https://github.com/filecoin-project/filecoin-pin) | `1.0.1` | `1.1.1` |
| [helmet](https://github.com/helmetjs/helmet) | `8.1.0` | `8.2.0` |
| [joi](https://github.com/hapijs/joi) | `18.0.2` | `18.2.3` |
| [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) | `8.18.0` | `8.22.0` |
| [pg-boss](https://github.com/timgit/pg-boss) | `12.11.1` | `12.23.0` |
| [viem](https://github.com/wevm/viem) | `2.48.11` | `2.53.1` |
| [@nestjs/cli](https://github.com/nestjs/nest-cli) | `11.0.16` | `11.0.23` |
| [@nestjs/schematics](https://github.com/nestjs/schematics) | `11.0.9` | `11.1.0` |
| [@nestjs/testing](https://github.com/nestjs/nest/tree/HEAD/packages/testing) | `11.1.13` | `11.1.27` |
| [ts-loader](https://github.com/TypeStrong/ts-loader) | `9.5.4` | `9.6.2` |
| [assemblyscript](https://github.com/AssemblyScript/assemblyscript) | `0.19.23` | `0.28.19` |
| [@radix-ui/react-slot](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slot) | `1.2.4` | `1.3.0` |
| [@radix-ui/react-switch](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/switch) | `1.2.6` | `1.3.1` |
| [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.1` |
| [date-fns](https://github.com/date-fns/date-fns) | `4.1.0` | `4.4.0` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.7` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.7` |
| [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.13.0` | `7.18.0` |
| [recharts](https://github.com/recharts/recharts) | `3.7.0` | `3.9.0` |
| [swr](https://github.com/vercel/swr) | `2.4.1` | `2.4.2` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.1` |
| [msw](https://github.com/mswjs/msw) | `2.12.10` | `2.14.6` |
| [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.3.14` | `2.5.1` |
| [@swc/core](https://github.com/swc-project/swc/tree/HEAD/packages/core) | `1.15.11` | `1.15.43` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.9` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.9` |



Updates `@clickhouse/client` from 1.18.2 to 1.22.0
- [Release notes](https://github.com/ClickHouse/clickhouse-js/releases)
- [Changelog](https://github.com/ClickHouse/clickhouse-js/blob/main/CHANGELOG.md)
- [Commits](ClickHouse/clickhouse-js@1.18.2...1.22.0)

Updates `@filoz/synapse-core` from 0.3.3 to 0.7.0
- [Release notes](https://github.com/FilOzone/synapse-sdk/releases)
- [Changelog](https://github.com/FilOzone/synapse-sdk/blob/v0.7.0/CHANGELOG.md)
- [Commits](FilOzone/synapse-sdk@synapse-core-v0.3.3...v0.7.0)

Updates `@ipld/car` from 5.4.2 to 5.4.6
- [Release notes](https://github.com/ipld/js-car/releases)
- [Changelog](https://github.com/ipld/js-car/blob/master/CHANGELOG.md)
- [Commits](ipld/js-car@v5.4.2...v5.4.6)

Updates `@ipld/dag-pb` from 4.1.5 to 4.1.7
- [Release notes](https://github.com/ipld/js-dag-pb/releases)
- [Changelog](https://github.com/ipld/js-dag-pb/blob/master/CHANGELOG.md)
- [Commits](ipld/js-dag-pb@v4.1.5...v4.1.7)

Updates `@nestjs/common` from 11.1.13 to 11.1.27
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.27/packages/common)

Updates `@nestjs/config` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/nestjs/config/releases)
- [Commits](nestjs/config@4.0.3...4.0.4)

Updates `@nestjs/core` from 11.1.13 to 11.1.27
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.27/packages/core)

Updates `@nestjs/platform-express` from 11.1.13 to 11.1.27
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.27/packages/platform-express)

Updates `@nestjs/schedule` from 6.1.1 to 6.1.3
- [Release notes](https://github.com/nestjs/schedule/releases)
- [Commits](nestjs/schedule@6.1.1...6.1.3)

Updates `@nestjs/swagger` from 11.2.6 to 11.4.4
- [Release notes](https://github.com/nestjs/swagger/releases)
- [Commits](nestjs/swagger@11.2.6...11.4.4)

Updates `@nestjs/typeorm` from 11.0.0 to 11.0.3
- [Release notes](https://github.com/nestjs/typeorm/releases)
- [Commits](nestjs/typeorm@11.0.0...11.0.3)

Updates `@willsoto/nestjs-prometheus` from 6.0.2 to 6.1.0
- [Release notes](https://github.com/willsoto/nestjs-prometheus/releases)
- [Changelog](https://github.com/willsoto/nestjs-prometheus/blob/main/CHANGELOG.md)
- [Commits](willsoto/nestjs-prometheus@v6.0.2...v6.1.0)

Updates `axios` from 1.13.5 to 1.18.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.18.1)

Updates `class-validator` from 0.14.3 to 0.15.1
- [Release notes](https://github.com/typestack/class-validator/releases)
- [Changelog](https://github.com/typestack/class-validator/blob/develop/CHANGELOG.md)
- [Commits](typestack/class-validator@v0.14.3...v0.15.1)

Updates `filecoin-pin` from 1.0.1 to 1.1.1
- [Release notes](https://github.com/filecoin-project/filecoin-pin/releases)
- [Changelog](https://github.com/filecoin-project/filecoin-pin/blob/master/CHANGELOG.md)
- [Commits](filecoin-project/filecoin-pin@v1.0.1...v1.1.1)

Updates `helmet` from 8.1.0 to 8.2.0
- [Changelog](https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md)
- [Commits](helmetjs/helmet@v8.1.0...v8.2.0)

Updates `joi` from 18.0.2 to 18.2.3
- [Commits](hapijs/joi@v18.0.2...v18.2.3)

Updates `pg` from 8.18.0 to 8.22.0
- [Changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md)
- [Commits](https://github.com/brianc/node-postgres/commits/pg@8.22.0/packages/pg)

Updates `pg-boss` from 12.11.1 to 12.23.0
- [Release notes](https://github.com/timgit/pg-boss/releases)
- [Commits](timgit/pg-boss@12.11.1...12.23.0)

Updates `viem` from 2.48.11 to 2.53.1
- [Release notes](https://github.com/wevm/viem/releases)
- [Commits](https://github.com/wevm/viem/compare/viem@2.48.11...viem@2.53.1)

Updates `@nestjs/cli` from 11.0.16 to 11.0.23
- [Release notes](https://github.com/nestjs/nest-cli/releases)
- [Commits](nestjs/nest-cli@11.0.16...11.0.23)

Updates `@nestjs/schematics` from 11.0.9 to 11.1.0
- [Release notes](https://github.com/nestjs/schematics/releases)
- [Commits](nestjs/schematics@11.0.9...11.1.0)

Updates `@nestjs/testing` from 11.1.13 to 11.1.27
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.27/packages/testing)

Updates `ts-loader` from 9.5.4 to 9.6.2
- [Release notes](https://github.com/TypeStrong/ts-loader/releases)
- [Changelog](https://github.com/TypeStrong/ts-loader/blob/main/CHANGELOG.md)
- [Commits](TypeStrong/ts-loader@v9.5.4...v9.6.2)

Updates `assemblyscript` from 0.19.23 to 0.28.19
- [Release notes](https://github.com/AssemblyScript/assemblyscript/releases)
- [Commits](AssemblyScript/assemblyscript@v0.19.23...v0.28.19)

Updates `@radix-ui/react-slot` from 1.2.4 to 1.3.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot)

Updates `@radix-ui/react-switch` from 1.2.6 to 1.3.1
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/switch/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/switch)

Updates `@tailwindcss/vite` from 4.2.4 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-vite)

Updates `date-fns` from 4.1.0 to 4.4.0
- [Release notes](https://github.com/date-fns/date-fns/releases)
- [Commits](date-fns/date-fns@v4.1.0...v4.4.0)

Updates `react` from 19.2.5 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 19.2.5 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `react-router-dom` from 7.13.0 to 7.18.0
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/react-router-dom@7.18.0/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.18.0/packages/react-router-dom)

Updates `recharts` from 3.7.0 to 3.9.0
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v3.7.0...v3.9.0)

Updates `swr` from 2.4.1 to 2.4.2
- [Release notes](https://github.com/vercel/swr/releases)
- [Commits](vercel/swr@v2.4.1...v2.4.2)

Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0)

Updates `tailwindcss` from 4.2.4 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `msw` from 2.12.10 to 2.14.6
- [Release notes](https://github.com/mswjs/msw/releases)
- [Changelog](https://github.com/mswjs/msw/blob/main/CHANGELOG.md)
- [Commits](mswjs/msw@v2.12.10...v2.14.6)

Updates `@biomejs/biome` from 2.3.14 to 2.5.1
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.1/packages/@biomejs/biome)

Updates `@swc/core` from 1.15.11 to 1.15.43
- [Release notes](https://github.com/swc-project/swc/releases)
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md)
- [Commits](https://github.com/swc-project/swc/commits/v1.15.43/packages/core)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8)

Updates `vitest` from 4.0.18 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: "@clickhouse/client"
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@filoz/synapse-core"
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@ipld/car"
  dependency-version: 5.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@ipld/dag-pb"
  dependency-version: 4.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/common"
  dependency-version: 11.1.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/config"
  dependency-version: 4.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/core"
  dependency-version: 11.1.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/platform-express"
  dependency-version: 11.1.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/schedule"
  dependency-version: 6.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/swagger"
  dependency-version: 11.4.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/typeorm"
  dependency-version: 11.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@willsoto/nestjs-prometheus"
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: axios
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: class-validator
  dependency-version: 0.15.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: filecoin-pin
  dependency-version: 1.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: helmet
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: joi
  dependency-version: 18.2.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: pg
  dependency-version: 8.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: pg-boss
  dependency-version: 12.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: viem
  dependency-version: 2.53.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/cli"
  dependency-version: 11.0.23
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/schematics"
  dependency-version: 11.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@nestjs/testing"
  dependency-version: 11.1.27
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: ts-loader
  dependency-version: 9.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: assemblyscript
  dependency-version: 0.28.19
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@radix-ui/react-switch"
  dependency-version: 1.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@tailwindcss/vite"
  dependency-version: 4.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: date-fns
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: react-router-dom
  dependency-version: 7.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: recharts
  dependency-version: 3.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: swr
  dependency-version: 2.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: tailwindcss
  dependency-version: 4.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: msw
  dependency-version: 2.14.6
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@swc/core"
  dependency-version: 1.15.43
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@FilOzzy FilOzzy added this to FOC Jun 29, 2026
@github-project-automation github-project-automation Bot moved this to 📌 Triage in FOC Jun 29, 2026
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @mswjs/interceptors is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/msw@2.14.6npm/vitest@4.1.9npm/@mswjs/interceptors@0.41.9

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mswjs/interceptors@0.41.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @sentry/node-core is 60.0% likely obfuscated

Confidence: 0.60

Location: Package overview

From: pnpm-lock.yamlnpm/filecoin-pin@1.1.1npm/@sentry/node-core@10.62.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/node-core@10.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm date-fns is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: apps/web/package.jsonnpm/date-fns@4.4.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/date-fns@4.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm immer is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/recharts@3.9.0npm/immer@11.1.8

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immer@11.1.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm recharts is 62.0% likely obfuscated

Confidence: 0.62

Location: Package overview

From: apps/web/package.jsonnpm/recharts@3.9.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/recharts@3.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm strtok3 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@nestjs/common@11.1.27npm/strtok3@10.3.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/strtok3@10.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm validator is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/class-validator@0.15.1npm/validator@13.15.35

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/validator@13.15.35. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm webpack is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@nestjs/cli@11.0.23npm/ts-loader@9.6.2npm/webpack@5.106.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.106.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/msw@2.14.6npm/vitest@4.1.9npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@BigLep BigLep moved this from 📌 Triage to 🐱 Todo in FOC Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

Status: 🐱 Todo

Development

Successfully merging this pull request may close these issues.

2 participants