deps(example): bump the dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the dependencies group with 10 updates in the /examples/nestjs-graphql directory:

Package	From	To
@nestjs/apollo	12.2.2	13.0.1
@nestjs/config	3.3.0	4.0.0
@nestjs/core	10.4.15	11.0.3
@nestjs/graphql	12.2.2	13.0.1
@nestjs/platform-express	10.4.15	11.0.3
@nestjs/cli	10.4.9	11.0.0
@nestjs/schematics	10.2.3	11.0.0
@typescript-eslint/eslint-plugin	8.20.0	8.21.0
@typescript-eslint/parser	8.20.0	8.21.0
eslint-plugin-prettier	5.2.2	5.2.3

Updates @nestjs/apollo from 12.2.2 to 13.0.1

Release notes

Sourced from @​nestjs/apollo's releases.

v13.0.0

13.0.0 (2025-01-16)

Dependencies

• graphql
  • NestJS v11 support (migration guide https://docs.nestjs.com/migration-guide)
  • graphql-ws v6 support (release & migration guide https://github.com/enisdenjo/graphql-ws/releases/tag/v6.0.0)
• mercurius
  • Fastify v5 support (release https://github.com/fastify/fastify/releases/tag/v5.0.0)
  • Mercurius v16 support (release https://github.com/mercurius-js/mercurius/releases/tag/v16.0.0)

Commits

• 4706ad2 v13.0.1
• f2d5c63 chore: update mixed up deps
• 6b3b90f chore: update linter tsconfig root dir
• 82d28fc v13.0.0
• 0a39884 chore: upgrade deps
• b0368d1 Merge pull request #3425 from nestjs/renovate/fast-glob-3.x
• 25d39cf Merge pull request #3402 from nikeee/master
• 09027f8 Merge pull request #3431 from nestjs/renovate/graphql-ws-5.x
• 3b5f8ae Merge pull request #3335 from nestjs/renovate/fastify-5.x
• 6698db4 Merge pull request #3428 from nestjs/renovate/graphql-tools-monorepo
• Additional commits viewable in compare view

Updates @nestjs/config from 3.3.0 to 4.0.0

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.0

Breaking changes

The order in which configuration variables are read by the ConfigService#get method has been updated. The new order is:

• Internal configuration (config namespaces and custom config files)
• Validated environment variables (if validation is enabled and a schema is provided)
• The process.env object

Previously, validated environment variables and the process.env object were read first, preventing them from being overridden by internal configuration. With this update, internal configuration will now always take precedence over environment variables.

Additionally, the ignoreEnvVars configuration option, which previously allowed disabling validation of the process.env object, has been deprecated. Instead, use the validatePredefined option (set to false to disable validation of predefined environment variables). Predefined environment variables refer to process.env variables that were set before the module was imported. For example, if you start your application with PORT=3000 node main.js, the PORT variable is considered predefined. However, variables loaded by the ConfigModule from a .env file are not classified as predefined.

A new skipProcessEnv option has also been introduced. This option allows you to prevent the ConfigService#get method from accessing the process.env object entirely, which can be helpful when you want to restrict the service from reading environment variables directly.

Changelog

• chore: update config attributes to more self descriptive names (c2eaf04)
• chore(deps): update nest monorepo to v11 (1c20713)
• feat: order of reading variables, add skip predefined (c53c63c)

Commits

• 163a4a8 chore(): release v4.0.0
• c2eaf04 chore: update config attributes to more self descriptive names
• ce18cb8 Merge branch 'master' into next
• 49c13fc test: update integration test to use new dotenv-expand opts
• a1225db chore: upgrade eslint, update deps, ci setup
• 1c54dde Merge pull request #1919 from foxadb/refactor-missing-return-types
• 6411b7d Merge pull request #1925 from nestjs/renovate/major-nest-monorepo
• e9c8727 Merge pull request #1883 from nestjs/feat/skip-predefined-change-order
• 94852a5 chore(deps): update dependency lint-staged to v15.4.1 (#1926)
• 49eec57 chore(deps): update dependency lint-staged to v15.4.0 (#1924)
• Additional commits viewable in compare view

Updates @nestjs/core from 10.4.15 to 11.0.3

Release notes

Sourced from @​nestjs/core's releases.

v11.0.0 (2025-01-16)

Article: coming soon 📆 Migration guide: https://docs.nestjs.com/migration-guide 👈 👈 👈

⚠️ Node v16 and v18 are no longer supported (>= v20 is required).

Features

• common, core, microservices
  • #14142 feat(microservices): add status, unwrap, on methods to microservice transporters (clients/servers) (@​kamilmysliwiec)
• • #14121 feat(common): add json logger, built-in logger improvements (@​kamilmysliwiec)
• common, core
  • #13336 feat(core): introduce different module opaque key factories (improve bootstrap performance) (@​kamilmysliwiec)
• common, core, microservices, platform-express, platform-fastify, platform-socket.io, platform-ws, testing, websockets
  • #14238 chore(deps): upgrade to express v5, fastify v5, add legacy route path converter to minimize breaking changes (@​kamilmysliwiec)

Enhancements

• common
  • #14213 feat(common): add error messages for file validators (@​mag123c)
  • #14131 feat(common): allow passing number to http error createBody (@​kamilmysliwiec)
  • #14122 feat(common): add ParseDatePipe, add tsdoc to other pipes (@​kamilmysliwiec)
  • #12735 feat(common)!: type narrowing allowed injection tokens for @Inject() (@​micalevisk)
  • #12764 fix(common): apply options to plaintoclass in classserializerinterceptor (@​kmw14641)
  • #14126 fix(common): type narrowing context parameter on createParamDecorator's callback (@​EeeasyCode)
  • #13628 chore(class-transformer): plainToClass is deprectated and replaced with plainToInstance (@​tomflorentin)
• microservices
  • #14200 feat(microservices): support nats queue per handler (@​kamilmysliwiec)
  • #13924 feat(microservices): add gracefull shutdown option for nats server (@​alinowrouzii)
  • #12622 feat: allow for microservice options to come from the di container (@​jmcdo29)
  • #14134 feat(microservices): add max tcp packet buffer length (@​kamilmysliwiec)
  • #12761 feat(microservices): ability to use a random port for the TCP server (@​PieterScheffers)
• websockets
  • #14184 feat(websockets): include exception cause to associate error with req (@​kamilmysliwiec)
• common, core, microservices, websockets
  • #14182 feat(common): introduce intrinsic exception (@​kamilmysliwiec)
• common, core, platform-fastify
  • #13278 feat(core,common,platform-fastify): add webdav http methods support (@​johaven)
• platform-express
  • #13407 feat: add multer error fieldname to the exception message (@​mmgroner)
• platform-ws
  • #14127 feat(ws): introduce message parser for ws adapter (@​CodyTseng)
• platform-fastify
  • #14115 chore(fastify): update fastify view options interface (@​Tony133)
  • #14116 refactor(fastify): update fastify static options interface (@​Tony133)
• common, core
  • #14113 feat(core): allow overriding abortOnError for the select method (@​kamilmysliwiec)

Bug fixes

• core
  • #14267 fix shutdown hooks order (@​flovouin)

... (truncated)

Commits

• cbebdd2 chore(@​nestjs) publish v11.0.3 release
• fca5ebb chore(@​nestjs) publish v11.0.2 release
• 0f617d4 chore(@​nestjs) publish v11.0.1 release
• d6b9fee fix: normalize middle wildcards, call path-to-regexp early
• 1299888 chore: update readme
• e19b586 chore(@​nestjs) publish v11.0.0 release
• 95654f9 chore: update package.json
• 6791b6c style: address lint errors
• db2a9b5 chore: resolve conflicts
• a24ef96 chore(deps): Update opencollective to 0.4.1 under new scope
• Additional commits viewable in compare view

Updates @nestjs/graphql from 12.2.2 to 13.0.1

Release notes

Sourced from @​nestjs/graphql's releases.

v13.0.0

13.0.0 (2025-01-16)

Dependencies

• graphql
  • NestJS v11 support (migration guide https://docs.nestjs.com/migration-guide)
  • graphql-ws v6 support (release & migration guide https://github.com/enisdenjo/graphql-ws/releases/tag/v6.0.0)
• mercurius
  • Fastify v5 support (release https://github.com/fastify/fastify/releases/tag/v5.0.0)
  • Mercurius v16 support (release https://github.com/mercurius-js/mercurius/releases/tag/v16.0.0)

Commits

• 4706ad2 v13.0.1
• f2d5c63 chore: update mixed up deps
• 6b3b90f chore: update linter tsconfig root dir
• 82d28fc v13.0.0
• 0a39884 chore: upgrade deps
• b0368d1 Merge pull request #3425 from nestjs/renovate/fast-glob-3.x
• 25d39cf Merge pull request #3402 from nikeee/master
• 09027f8 Merge pull request #3431 from nestjs/renovate/graphql-ws-5.x
• 3b5f8ae Merge pull request #3335 from nestjs/renovate/fastify-5.x
• 6698db4 Merge pull request #3428 from nestjs/renovate/graphql-tools-monorepo
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 10.4.15 to 11.0.3

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.0.0 (2025-01-16)

Article: coming soon 📆 Migration guide: https://docs.nestjs.com/migration-guide 👈 👈 👈

⚠️ Node v16 and v18 are no longer supported (>= v20 is required).

Features

• common, core, microservices
  • #14142 feat(microservices): add status, unwrap, on methods to microservice transporters (clients/servers) (@​kamilmysliwiec)
• • #14121 feat(common): add json logger, built-in logger improvements (@​kamilmysliwiec)
• common, core
  • #13336 feat(core): introduce different module opaque key factories (improve bootstrap performance) (@​kamilmysliwiec)
• common, core, microservices, platform-express, platform-fastify, platform-socket.io, platform-ws, testing, websockets
  • #14238 chore(deps): upgrade to express v5, fastify v5, add legacy route path converter to minimize breaking changes (@​kamilmysliwiec)

Enhancements

• common
  • #14213 feat(common): add error messages for file validators (@​mag123c)
  • #14131 feat(common): allow passing number to http error createBody (@​kamilmysliwiec)
  • #14122 feat(common): add ParseDatePipe, add tsdoc to other pipes (@​kamilmysliwiec)
  • #12735 feat(common)!: type narrowing allowed injection tokens for @Inject() (@​micalevisk)
  • #12764 fix(common): apply options to plaintoclass in classserializerinterceptor (@​kmw14641)
  • #14126 fix(common): type narrowing context parameter on createParamDecorator's callback (@​EeeasyCode)
  • #13628 chore(class-transformer): plainToClass is deprectated and replaced with plainToInstance (@​tomflorentin)
• microservices
  • #14200 feat(microservices): support nats queue per handler (@​kamilmysliwiec)
  • #13924 feat(microservices): add gracefull shutdown option for nats server (@​alinowrouzii)
  • #12622 feat: allow for microservice options to come from the di container (@​jmcdo29)
  • #14134 feat(microservices): add max tcp packet buffer length (@​kamilmysliwiec)
  • #12761 feat(microservices): ability to use a random port for the TCP server (@​PieterScheffers)
• websockets
  • #14184 feat(websockets): include exception cause to associate error with req (@​kamilmysliwiec)
• common, core, microservices, websockets
  • #14182 feat(common): introduce intrinsic exception (@​kamilmysliwiec)
• common, core, platform-fastify
  • #13278 feat(core,common,platform-fastify): add webdav http methods support (@​johaven)
• platform-express
  • #13407 feat: add multer error fieldname to the exception message (@​mmgroner)
• platform-ws
  • #14127 feat(ws): introduce message parser for ws adapter (@​CodyTseng)
• platform-fastify
  • #14115 chore(fastify): update fastify view options interface (@​Tony133)
  • #14116 refactor(fastify): update fastify static options interface (@​Tony133)
• common, core
  • #14113 feat(core): allow overriding abortOnError for the select method (@​kamilmysliwiec)

Bug fixes

• core
  • #14267 fix shutdown hooks order (@​flovouin)

... (truncated)

Commits

• cbebdd2 chore(@​nestjs) publish v11.0.3 release
• 5eaae5f fix(platform): add missing path-to-regexp dependency #14461
• fca5ebb chore(@​nestjs) publish v11.0.2 release
• 9aa2a43 fix: use express body-parser reexports
• 0f617d4 chore(@​nestjs) publish v11.0.1 release
• d6b9fee fix: normalize middle wildcards, call path-to-regexp early
• 1299888 chore: update readme
• e19b586 chore(@​nestjs) publish v11.0.0 release
• 224e0dd chore: upgrade multer
• 95654f9 chore: update package.json
• Additional commits viewable in compare view

Updates @nestjs/cli from 10.4.9 to 11.0.0

Release notes

Sourced from @​nestjs/cli's releases.

11.0.0

Migration guide: https://docs.nestjs.com/migration-guide

Features and improvements

• feat(schematics): list schematics from extended collections #2096
• feat: nest build --all flag #2312
• feat: add flag to disable shell mode for nest start --watch #2522
• feat!: drop uncommon variants of nest cli config file name #2769
• feat: add support for --env-file flag #2818

Dependencies

• fix(deps): update dependency glob to v11 #2788
• chore/upgrade inquirer package #2718
• fix(deps): update dependency chokidar to v4 #2734
• fix(deps): update angular-cli monorepo to v19 #2811

Commits

• 6932655 chore(): release v11.0.0
• fd63b3f Merge pull request #2879 from nestjs/renovate/angular-cli-monorepo
• 5879bcb chore(deps): update dependency @​swc/core to v1.10.8 (#2880)
• b21f806 fix(deps): update angular-cli monorepo to v19.1.2
• 7c86190 Merge pull request #2878 from nestjs/renovate/inquirer-prompts-7.x
• 2b1c2fa fix(deps): update dependency @​inquirer/prompts to v7
• 9baa082 chore: resolve conflicts
• 654a1f8 chore: update chokidar
• d6ba3fa Merge pull request #2877 from nestjs/renovate/ansis-3.x
• 0289f2a Merge pull request #2876 from nestjs/renovate/inquirer-prompts-5.x
• Additional commits viewable in compare view

Updates @nestjs/schematics from 10.2.3 to 11.0.0

Release notes

Sourced from @​nestjs/schematics's releases.

Release 11.0.0 (2025-01-17)

• NestJS v11 (migration guide https://docs.nestjs.com/migration-guide)
• ESLint v9
• Angular Devkit Schematics v19

Changelog

• feat: sort library and sub-app names to reduce git merge conflicts (797a384)
• feat: enable strict null checks and consistent casing (a4cb235)
• chore: upgrade to eslint v9 (7b205f5)

Commits

• 67a5356 chore: resolve conflicts
• 94a3ba8 chore: update schematics package.json files
• 641f8ce chore(deps): update dependency @​commitlint/cli to v19.6.1 (#1962)
• 2aad221 chore(deps): update dependency eslint to v9.17.0 (#1961)
• 9c9d318 chore(deps): update dependency nodemon to v3.1.9 (#1960)
• 1cce577 chore(deps): update dependency @​types/node to v22.10.2 (#1959)
• 000626c chore(deps): update typescript-eslint monorepo to v8.18.0 (#1958)
• a0efb93 chore(deps): update dependency prettier to v3.4.2 (#1955)
• 190ff42 chore(deps): update typescript-eslint monorepo to v8.17.0 (#1954)
• 4809572 chore(deps): update dependency eslint to v9.16.0 (#1953)
• Additional commits viewable in compare view

Updates @typescript-eslint/eslint-plugin from 8.20.0 to 8.21.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.21.0

8.21.0 (2025-01-20)

🚀 Features

• ast-spec: support import attributes in TSImportType (#10640)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-arguments] handle type args on jsx (#10630)
• eslint-plugin: check JSX spread elements for misused spread usage (#10653)
• eslint-plugin: [no-for-in-array] report on any type which may be an array or array-like (#10535)
• eslint-plugin: [no-base-to-string] don't crash for recursive array or tuple types (#10633)
• eslint-plugin: [no-duplicate-enum-values] handle template literal (#10675)
• eslint-plugin-internal: [debug-namespace] on windows (#10661)
• rule-tester: handle window root path (#10654)
• scope-manager: add a reference for JSX closing element if it exists (#10614)

❤️ Thank You

• Arya Emami @​aryaemami59
• Ronen Amiel
• YeonJuan @​yeonjuan

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.21.0 (2025-01-20)

🩹 Fixes

• eslint-plugin: [no-duplicate-enum-values] handle template literal (#10675)
• eslint-plugin: [no-base-to-string] don't crash for recursive array or tuple types (#10633)
• eslint-plugin: [no-for-in-array] report on any type which may be an array or array-like (#10535)
• eslint-plugin: check JSX spread elements for misused spread usage (#10653)
• eslint-plugin: [no-unnecessary-type-arguments] handle type args on jsx (#10630)

❤️ Thank You

• Ronen Amiel
• YeonJuan @​yeonjuan

You can read about our versioning strategy and releases on our website.

Commits

• 79af426 chore(release): publish 8.21.0
• 609a78f test(eslint-plugin): adjust tests to verify no-unnecessary-type-assertion d...
• fb4ca72 fix(eslint-plugin): [no-duplicate-enum-values] handle template literal (#10675)
• 1895948 fix(eslint-plugin): [no-base-to-string] don't crash for recursive array or tu...
• 74f1c5a fix(eslint-plugin): [no-for-in-array] report on any type which may be an arra...
• 916b989 fix(eslint-plugin): check JSX spread elements for misused spread usage (#10653)
• 31be053 chore: fix failing test on master
• 70f3092 docs: [no-misused-spread] fix sample code (#10659)
• a157fd4 chore: standardized on inline named exports (mostly) (#10596)
• 3dbcc19 fix(eslint-plugin): [no-unnecessary-type-arguments] handle type args on jsx (...
• See full diff in compare view

Updates @typescript-eslint/parser from 8.20.0 to 8.21.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.21.0

8.21.0 (2025-01-20)

🚀 Features

• ast-spec: support import attributes in TSImportType (#10640)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-arguments] handle type args on jsx (#10630)
• eslint-plugin: check JSX spread elements for misused spread usage (#10653)
• eslint-plugin: [no-for-in-array] report on any type which may be an array or array-like (#10535)
• eslint-plugin: [no-base-to-string] don't crash for recursive array or tuple types (#10633)
• eslint-plugin: [no-duplicate-enum-values] handle template literal (#10675)
• eslint-plugin-internal: [debug-namespace] on windows (#10661)
• rule-tester: handle window root path (#10654)
• scope-manager: add a reference for JSX closing element if it exists (#10614)

❤️ Thank You

• Arya Emami @​aryaemami59
• Ronen Amiel
• YeonJuan @​yeonjuan

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.21.0 (2025-01-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

• 79af426 chore(release): publish 8.21.0
• a157fd4 chore: standardized on inline named exports (mostly) (#10596)
• See full diff in compare view

Updates eslint-plugin-prettier from 5.2.2 to 5.2.3

Release notes

Sourced from eslint-plugin-prettier's releases.

v5.2.3

Patch Changes

• #703 9c6141f Thanks @​BPScott! - Add name field to recommended flat config

Changelog

Sourced from eslint-plugin-prettier's changelog.

5.2.3

Patch Changes

• #703 9c6141f Thanks @​BPScott! - Add name field to recommended flat config

Commits

• 6fd7ba1 chore: release eslint-plugin-prettier (#704)
• 190d6f9 build(deps): Bump synckit from 0.9.1 to 0.9.2 (#705)
• 9cf6a01 build(deps-dev): Bump svelte from 4.2.8 to 4.2.19 (#677)
• 9c6141f chore: add plugin name to flat recommended config (#703)
• 35a5cd0 chore: bupm eslint-plugin-comments (#702)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@nestjs/apollo@13.0.1 🔁 npm/@nestjs/apollo@12.2.2	None	+6	493 kB	kamilmysliwiec, nestjscore
npm/@nestjs/cli@11.0.0	Transitive: environment, eval, filesystem, network	+31	5.56 MB	nestjscore
npm/@nestjs/config@4.0.0	environment, filesystem	+2	148 kB	nestjscore
npm/@nestjs/core@11.0.3	environment, unsafe Transitive: filesystem, shell	+3	933 kB	nestjscore
npm/@nestjs/graphql@13.0.1 🔁 npm/@nestjs/graphql@12.2.2	Transitive: environment, eval, network	+17	2.37 MB	nestjscore
npm/@nestjs/platform-express@11.0.3	network Transitive: environment, filesystem, unsafe	+23	1.18 MB	nestjscore
npm/@nestjs/schematics@11.0.0	Transitive: eval, network	+5	2.31 MB	nestjscore
npm/@typescript-eslint/eslint-plugin@8.21.0	Transitive: filesystem	+7	4.74 MB	bradzacher, jameshenry
npm/@typescript-eslint/parser@8.21.0	Transitive: filesystem	+5	1.53 MB	bradzacher, jameshenry
npm/eslint-plugin-prettier@5.2.3	None	0	34.5 kB	bpscott, jounqin, lydell, ...3 more

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
New author	npm/mime-types@3.0.0	New Author: wesleytodd Previous Author: dougwilson	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
New author	npm/negotiator@1.0.0	New Author: wesleytodd Previous Author: dougwilson	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
New author	npm/type-is@2.0.0	New Author: wesleytodd Previous Author: dougwilson	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
New author	npm/accepts@2.0.0	New Author: wesleytodd Previous Author: dougwilson	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
New author	npm/content-disposition@1.0.0	New Author: wesleytodd Previous Author: dougwilson	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
New author	npm/mute-stream@2.0.0	New Author: npm-cli-ops Previous Author: lukekarrys	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
Unstable ownership	npm/mute-stream@2.0.0	Author: npm-cli-ops	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
Shell access	npm/@nuxt/opencollective@0.4.1	Module: child_process Location: Package overview	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
Install scripts	npm/@nestjs/core@11.0.3	Install script: postinstall Source: opencollective || exit 0	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
Network access	npm/@nestjs/platform-express@11.0.3	Module: http Location: Package overview	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫
Network access	npm/@nestjs/platform-express@11.0.3	Module: https Location: Package overview	examples/nestjs-graphql/package-lock.json examples/nestjs-graphql/package.json	🚫

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is unstable ownership?

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/mime-types@3.0.0
• @SocketSecurity ignore npm/negotiator@1.0.0
• @SocketSecurity ignore npm/type-is@2.0.0
• @SocketSecurity ignore npm/accepts@2.0.0
• @SocketSecurity ignore npm/content-disposition@1.0.0
• @SocketSecurity ignore npm/mute-stream@2.0.0
• @SocketSecurity ignore npm/@nuxt/opencollective@0.4.1
• @SocketSecurity ignore npm/@nestjs/core@11.0.3
• @SocketSecurity ignore npm/@nestjs/platform-express@11.0.3

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.