[Snyk] Security upgrade @nestjs/graphql from 7.9.11 to 8.0.0#46
[Snyk] Security upgrade @nestjs/graphql from 7.9.11 to 8.0.0#46
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15032660 - https://snyk.io/vuln/SNYK-JS-TAR-15127355
There was a problem hiding this comment.
Pull request overview
This PR upgrades @nestjs/graphql from version 7.9.11 to 8.0.0 as a security fix for two Directory Traversal vulnerabilities (SNYK-JS-TAR-15032660 and SNYK-JS-TAR-15127355) in the tar dependency. However, this is a major version upgrade that introduces breaking changes requiring additional dependency updates.
Changes:
- Upgraded @nestjs/graphql from ^7.9.11 to ^8.0.0 to address security vulnerabilities
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@nestjs/config": "^0.6.3", | ||
| "@nestjs/core": "^7.5.1", | ||
| "@nestjs/graphql": "^7.9.11", | ||
| "@nestjs/graphql": "^8.0.0", |
There was a problem hiding this comment.
Upgrading @nestjs/graphql from version 7.9.11 to 8.0.0 requires upgrading the graphql package from version 14.7.0 to at least version 15.x. The current version ^14.7.0 is incompatible with @nestjs/graphql v8, which requires graphql v15 or higher. This will cause runtime errors when the application starts.
You should update the graphql dependency to "^15.3.0" or higher in the dependencies section.
| "@nestjs/config": "^0.6.3", | ||
| "@nestjs/core": "^7.5.1", | ||
| "@nestjs/graphql": "^7.9.11", | ||
| "@nestjs/graphql": "^8.0.0", |
There was a problem hiding this comment.
The apollo-server-fastify package at version ^2.21.0 may have compatibility issues with @nestjs/graphql v8. It is recommended to upgrade apollo-server-fastify to version 3.x to ensure compatibility with the newer @nestjs/graphql version.
Consider upgrading to "apollo-server-fastify": "^3.0.0" or higher.
| "@nestjs/config": "^0.6.3", | ||
| "@nestjs/core": "^7.5.1", | ||
| "@nestjs/graphql": "^7.9.11", | ||
| "@nestjs/graphql": "^8.0.0", |
There was a problem hiding this comment.
The @nestjs/graphql v8 upgrade may require updating other @nestjs packages to compatible versions. The current versions of @nestjs/common (^7.5.1) and @nestjs/core (^7.5.1) might not be fully compatible with @nestjs/graphql v8, which typically works best with @nestjs/core and @nestjs/common v8.x or higher.
Consider reviewing the compatibility matrix and upgrading the core NestJS packages to ensure proper integration.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15032660
SNYK-JS-TAR-15127355
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal