chore(deps): bump qs, @nestjs/core, @nestjs/platform-express, @nestjs/serve-static, @nestjs/swagger, @nestjs/typeorm, body-parser and @nestjs/testing

[dependabot]

Bumps qs to 6.15.2 and updates ancestor dependencies qs, @nestjs/core, @nestjs/platform-express, @nestjs/serve-static, @nestjs/swagger, @nestjs/typeorm, body-parser and @nestjs/testing. These dependencies need to be updated together.

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates @nestjs/core from 9.4.3 to 11.1.23

Release notes

Sourced from @​nestjs/core's releases.

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

• core
  • #16993 fix(core): inflight request injection bug #16989 (@​kamilmysliwiec)

Enhancements

• core
  • #16967 fix(core): identify decorator type in invalid-class-module error (@​HarrierOnChain)

Committers: 2

• Harrier (@​HarrierOnChain)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.21 (2026-05-14)

Bug fixes

• core
  • #16948 fix(core): settle skipped provider initialization (@​yudin-s)

Committers: 1

• Serge Yudin (@​yudin-s)

v11.1.20 (2026-05-13)

Bug fixes

• core, testing
  • #16939 fix(core): fix deeply nested transient providers resolution (@​kamilmysliwiec)
• core
  • #16861 fix(core): fix @​Sse losing events on complete (@​MatthiasBrehmer)
  • #16753 fix(core): defer sse writehead until after lifecycle completes (@​jkalberer)
  • #16782 fix(core): use strict null check for SSE message id (@​burhanharoon)
• microservices
  • #16850 fix(microservices): ServerRMQ crashes at boot when @​MessagePattern(undefined) is combined with wildcards: true (@​lavieennoir)
• common
  • #16845 fix(common): accept zero timestamp in parse date pipe (@​Mysh3ll)
• platform-socket.io
  • #16742 fix(socket.io): Deduplicate disconnect listener in bindMessageHandlers (@​fru1tworld)

Enhancements

• microservices

... (truncated)

Commits

• b8be8c1 chore(release): publish v11.1.23 release
• 5de10df fix: should skip transient providers for snapshots
• 801c46f chore(release): publish v11.1.22 release
• 260b8ec fix(core): inflight request injection bug #16989
• 16aceab fix(core): include received value type in invalid-module error
• 79919b1 fix(core): identify decorator type in invalid-class-module error
• 983dd52 chore(release): publish v11.1.21 release
• d48f21d fix(core): settle skipped provider initialization
• a0b0139 chore: update readme
• 7caeb3f chore(release): publish v11.1.20 release
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 9.4.3 to 11.1.23

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

• core
  • #16993 fix(core): inflight request injection bug #16989 (@​kamilmysliwiec)

Enhancements

• core
  • #16967 fix(core): identify decorator type in invalid-class-module error (@​HarrierOnChain)

Committers: 2

• Harrier (@​HarrierOnChain)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.21 (2026-05-14)

Bug fixes

• core
  • #16948 fix(core): settle skipped provider initialization (@​yudin-s)

Committers: 1

• Serge Yudin (@​yudin-s)

v11.1.20 (2026-05-13)

Bug fixes

• core, testing
  • #16939 fix(core): fix deeply nested transient providers resolution (@​kamilmysliwiec)
• core
  • #16861 fix(core): fix @​Sse losing events on complete (@​MatthiasBrehmer)
  • #16753 fix(core): defer sse writehead until after lifecycle completes (@​jkalberer)
  • #16782 fix(core): use strict null check for SSE message id (@​burhanharoon)
• microservices
  • #16850 fix(microservices): ServerRMQ crashes at boot when @​MessagePattern(undefined) is combined with wildcards: true (@​lavieennoir)
• common
  • #16845 fix(common): accept zero timestamp in parse date pipe (@​Mysh3ll)
• platform-socket.io
  • #16742 fix(socket.io): Deduplicate disconnect listener in bindMessageHandlers (@​fru1tworld)

Enhancements

• microservices

... (truncated)

Commits

• b8be8c1 chore(release): publish v11.1.23 release
• 801c46f chore(release): publish v11.1.22 release
• 983dd52 chore(release): publish v11.1.21 release
• a0b0139 chore: update readme
• 7caeb3f chore(release): publish v11.1.20 release
• f6a3c2f fix(docs): update some old links in docs
• 5e33ecf feat: add MulterOptions and MulterField interfaces for express platform confi...
• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 0ca5440 Merge pull request #16627 from ankitbelal/refactor/centralize-headers-and-par...
• Additional commits viewable in compare view

Updates @nestjs/serve-static from 3.0.1 to 5.0.5

Release notes

Sourced from @​nestjs/serve-static's releases.

Release 5.0.5

• fix(deps): update dependency path-to-regexp to v8.4.2 (576202d)
• chore(deps): update dependency @​fastify/static to v9 (39ed6d0)

Release 5.0.4

What's Changed

• acceptRanges property by @​Elte156 in nestjs/serve-static#1712
• fix(deps): update dependency path-to-regexp to v8.3.0 by @​renovate[bot] in nestjs/serve-static#1770

New Contributors

• @​Elte156 made their first contribution in nestjs/serve-static#1712

Full Changelog: nestjs/serve-static@5.0.3...5.0.4

Release 5.0.3

What's Changed

• fix(fastify): serve index file when it exists by @​SteadEXE in nestjs/serve-static#1587

New Contributors

• @​SteadEXE made their first contribution in nestjs/serve-static#1587

Full Changelog: nestjs/serve-static@5.0.2...5.0.3

Release 5.0.2

What's Changed

• fix: pass unhandled error on to next express error handler by @​luddwichr in nestjs/serve-static#1572

New Contributors

• @​luddwichr made their first contribution in nestjs/serve-static#1572

Full Changelog: nestjs/serve-static@5.0.1...5.0.2

Release 5.0.1

• fix: dont send enoent error for routes under the excluded path (2cbaaaa)

Release 5.0.0

v5.0.0 (2025-01-20)

Migration guide: https://docs.nestjs.com/migration-guide

Improvements/features

• send 404 when file does not exist
• support preCompressed, decorateReply configuration options (Fastify)
• support useGlobalPrefix to auto-prepend all routes with the application's global prefix
• support Fastify v5
• support Express v5

Breaking changes

• Express v5 uses the latest version of path-to-regexp, so wildcards must now be defined differently than before, see https://docs.nestjs.com/migration-guide#express-v5

... (truncated)

Commits

• 2026aa2 chore(): release v5.0.5
• 6035962 Merge pull request #1935 from nestjs/renovate/path-to-regexp-8.x
• 576202d fix(deps): update dependency path-to-regexp to v8.4.2
• 28e287c Merge pull request #1814 from nestjs/renovate/cimg-node-24.x
• 32780ed Merge pull request #1852 from nestjs/renovate/fastify-static-9.x
• 06dcbb5 Merge pull request #1929 from nestjs/renovate/npm-path-to-regexp-vulnerability
• 39ed6d0 chore(deps): update dependency @​fastify/static to v9
• fa9b7da fix(deps): update dependency path-to-regexp to v8.4.0 [security]
• b3f020b chore(deps): update dependency typescript-eslint to v8.58.1 (#1934)
• 29de08e chore(deps): update dependency eslint to v10.2.0 (#1933)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @nestjs/swagger from 6.3.0 to 11.4.4

Release notes

Sourced from @​nestjs/swagger's releases.

Release 11.4.4

11.4.4 (2026-05-21)

Bug fixes

• #3930 fix: top-level nullable with discriminator issue (@​kamilmysliwiec)

Enhancements

• #3921 feat(swagger): add summary field to Tag Object (OpenAPI 3.2) (@​frbuceta)
• #3924 feat(swagger): warn when @​ApiTags receives hierarchy fields (@​frbuceta)
• #3925 fix(swagger): type Tag Object kind as a free-form string (@​frbuceta)

Committers: 4

• Alexander Scholz (@​LucidityDesign)
• Francisco Buceta (@​frbuceta)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Natanael dos Santos Feitosa (@​natanfeitosa)

Release 11.4.3

11.4.3 (2026-05-14)

Bug fixes

• #3910 fix(swagger): support const enum query params (@​yudin-s)
• #3911 fix(swagger-module): return reply from async route handlers (@​tibohaffner)
• #3883 fix(response-object-factory): preserve example/examples for built-in scalar response types (@​yogeshwaran-c)
• #3882 fix(swagger-types-mapper): place multipleOf inside parameter schema (@​yogeshwaran-c)

Enhancements

• #3885 feat(plugin): auto-generate enum metadata for string and number literal union types (@​y-hsgw)
• #3604 feat: added api-include-endpoint (@​TomSpott)

Dependencies

• #3906 fix(deps): update dependency swagger-ui-dist to v5.32.6 (@​renovate[bot])

Committers: 6

• Serge Yudin (@​yudin-s)
• Thibault Haffner (@​tibohaffner)
• Yogeshwaran C (@​yogeshwaran-c)
• Yukihiro Hasegawa (@​y-hsgw)
• @​TomSpott
• @​kyungseopk1m

Release 11.4.2

11.4.2 (2026-04-27)

Bug fixes

• #3867 fix(plugin): keep auto-inferred default response when only error Api*Response decorators are present (@​PeterTheOne)
• #3876 fix(plugin): handle IsIn enum inference when type falls back to Object (@​y-hsgw)

Committers: 2

• Peter Grassberger (@​PeterTheOne)

... (truncated)

Commits

• 57d8c19 chore(): release v11.4.4
• 794e895 Merge pull request #3930 from nestjs/fix/nullable-with-discriminator-3928
• d91fbe0 fix: top-level nullable with discriminator issue #3928
• 8121be3 Merge pull request #3921 from frbuceta/feat/openapi-32-tag-summary
• 5dd7ce3 feat(swagger): add summary field to OpenAPI 3.2 Tag Object
• 0d1907f Merge pull request #3927 from nestjs/renovate/vitest-monorepo
• 6edbd07 chore(deps): update dependency vitest to v4.1.7
• f797f85 Merge pull request #3924 from frbuceta/feat/api-tags-warn-hierarchy-fields
• 0a1d9c1 Merge pull request #3925 from frbuceta/fix/tag-kind-free-form-string
• 6da2e23 Apply suggestion from @​kamilmysliwiec
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @nestjs/typeorm from 9.0.1 to 11.0.1

Release notes

Sourced from @​nestjs/typeorm's releases.

Release 11.0.1

What's Changed

• feat: support v1 of TypeORM by @​naorpeled in nestjs/typeorm#2562

New Contributors

• @​naorpeled made their first contribution in nestjs/typeorm#2562

Full Changelog: nestjs/typeorm@11.0.0...11.0.1

Release 11.0.0

• chore: remove deprecated keepConnectionAlive (d25d11a)
• chore(deps): update nest monorepo to v11 (31d765b)
• chore(deps): Use crypto.randomUUID() instead of uuid module (1f7e661)

Release 10.0.2

• Merge pull request #1839 from nestjs/renovate/reflect-metadata-0.x (bb8fde8)
• chore(deps): update dependency reflect-metadata to v0.2.1 (3f96c18)
• Merge pull request #1901 from nestjs/renovate/nest-monorepo (7d29e89)
• chore(deps): update nest monorepo to v10.3.2 (b98cca9)
• Merge pull request #1802 from nestjs/renovate/cimg-node-21.x (24fa80b)
• chore(deps): update typescript-eslint monorepo to v6.21.0 (fc8c697)
• chore(deps): update dependency lint-staged to v15.2.2 (af287d6)
• chore(deps): update dependency prettier to v3.2.5 (6331626)
• chore(deps): update dependency husky to v9.0.10 (226a494)
• chore(deps): update dependency @​types/node to v20.11.16 (1d4329c)
• chore(deps): update dependency @​types/jest to v29.5.12 (dc37e84)
• chore(deps): update dependency @​types/node to v20.11.15 (429a881)
• chore(deps): update dependency @​types/node to v20.11.14 (36069c2)
• chore(deps): update dependency lint-staged to v15.2.1 (17fa212)
• chore(deps): update dependency @​types/node to v20.11.13 (7d1b6bc)
• chore(deps): update typescript-eslint monorepo to v6.20.0 (3a8f7c3)
• chore(deps): update dependency husky to v9.0.7 (b159e73)
• chore(deps): update dependency @​types/node to v20.11.10 (f0eea1c)
• chore(deps): update dependency @​types/node to v20.11.9 (f09ac1d)
• chore(deps): update dependency @​types/node to v20.11.8 (a1c893a)
• chore(deps): update dependency typeorm to v0.3.20 (b66376e)
• chore(deps): update dependency @​types/node to v20.11.7 (1138485)
• chore(deps): update dependency husky to v9.0.6 (f162e7f)
• chore(deps): update dependency @​types/uuid to v9.0.8 (d3360a2)
• chore(deps): update dependency husky to v9.0.5 (d79860c)
• chore(deps): update commitlint monorepo to v18.6.0 (0ab224c)
• chore(deps): update dependency husky to v9 (dfd5759)
• chore(deps): update dependency @​types/node to v20.11.6 (955ef3a)
• chore(deps): update nest monorepo to v10.3.1 (d5dafcd)
• chore(deps): update dependency release-it to v17.0.3 (80185ed)
• chore(deps): update typescript-eslint monorepo to v6.19.1 (a6b699c)
• chore(deps): update commitlint monorepo to v18.5.0 (4841b2b)
• chore(deps): update dependency ts-jest to v29.1.2 (e81545b)
• chore(deps): update dependency prettier to v3.2.4 (717c125)
• chore(deps): update dependency @​types/node to v20.11.5 (e17b8e9)

... (truncated)

Commits

• 57bcd24 chore(): release v11.0.1
• d08fc02 Merge pull request #2528 from nestjs/renovate/postgres-18.x
• 3d42a8e Merge pull request #2566 from nestjs/renovate/cimg-node-24.x
• 180b9c9 Merge pull request #2562 from naorpeled/feat/support-v1-of-typeorm
• 429caa3 chore(deps): update dependency ts-jest to v29.4.9 (#2569)
• 4473f7b chore(deps): update dependency typescript-eslint to v8.58.0 (#2568)
• ed9f679 fix: resolve lock sync issues
• 574b654 fix: Use ^1.0.0-dev for typeorm peer dependency range
• f8a656a chore(deps): update node.js to v24.14.1
• 70e63ed chore: Remove unnecessary unit tests
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates body-parser from 1.20.4 to 1.20.5

Release notes

Sourced from body-parser's releases.

v1.20.5

What's Changed

The reason for this release is a fix to the extended urlencoded parser returning objects instead of arrays for large array inputs (> 100) on qs@6.14.2+. (expressjs/body-parser#716)

• refactor(json): simplify strict mode error string construction by @​jonchurch in expressjs/body-parser#692
• fix: correct off-by-one error in parameterCount by @​abhu85 in expressjs/body-parser#716
• deps(qs): bump qs to 6.15.1 by @​jonchurch in expressjs/body-parser#722
• Release: 1.20.5 by @​jonchurch in expressjs/body-parser#721

New Contributors

• @​abhu85 made their first contribution in expressjs/body-parser#716

Special thanks to triager @​krzysdz for keeping this on our radar and effectively triaging the specific issue!

Full Changelog: expressjs/body-parser@1.20.4...1.20.5

Changelog

Sourced from body-parser's changelog.

1.20.5 / 2026-04-24

• refactor(json): simplify strict mode error string construction
• fix: extended urlencoded parsing of arrays with >100 elements (#716)
• deps: qs@~6.15.1

Commits

• 0defdbe release(patch): 1.20.5
• cd0e7a0 deps(qs): bump qs to 6.15.1
• 6f24d7e fix: correct off-by-one error in parameterCount (#716)
• b849bd5 deps: qs@~6.14.1 (#690)
• 2c55e2f refactor(json): simplify strict mode error string construction (#692)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for body-parser since your current version.

Updates @nestjs/testing from 9.4.3 to 11.1.23

Release notes

Sourced from @​nestjs/testing's releases.

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

• core
  • #16993 fix(core): inflight request injection bug #16989 (@​kamilmysliwiec)

Enhancements

• core
  • #16967 fix(core): identify decorator type in invalid-class-module error (@​HarrierOnChain)

Committers: 2

• Harrier (@​HarrierOnChain)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.21 (2026-05-14)

Bug fixes

• core
  • #16948 fix(core): settle skipped provider initialization (@​yudin-s)

Committers: 1

• Serge Yudin (@​yudin-s)

v11.1.20 (2026-05-13)

Bug fixes

• core, testing
  • #16939 fix(core): fix deeply nested transient providers resolution (@​kamilmysliwiec)
• core
  • #16861 fix(core): fix @​Sse losing events on complete (@​MatthiasBrehmer)
  • #16753 fix(core): defer sse writehead until after lifecycle completes (@​jkalberer)
  • #16782 fix(core): use strict null check for SSE message id (@​burhanharoon)
• microservices
  • #16850 fix(microservices): ServerRMQ crashes at boot when @​MessagePattern(undefined) is combined with wildcards: true (@​lavieennoir)
• common
  • #16845 fix(common): accept zero timestamp in parse date pipe (@​Mysh3ll)
• platform-socket.io
  • #16742 fix(socket.io): Deduplicate disconnect listener in bindMessageHandlers (@​fru1tworld)

Enhancements

• microservices

... (truncated)

Commits

• b8be8c1 chore(release): publish v11.1.23 release
• 801c46f chore(release): publish v11.1.22 release
• 983dd52 chore(release): publish v11.1.21 release
• a0b0139 chore: update readme
• 7caeb3f chore(release): publish v11.1.20 release
• 2e290c6 fix(core): fix deeply nested transient providers resolution
• f6a3c2f fix(docs): update some old links in docs
• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 5a05f52 chore: update readme
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.