build(deps): bump multer, @nestjs/core, @nestjs/platform-express, @nestjs/terminus, @nestjs/typeorm and @nestjs/testing

[dependabot]

Bumps multer to 2.1.1 and updates ancestor dependencies multer, @nestjs/core, @nestjs/platform-express, @nestjs/terminus, @nestjs/typeorm and @nestjs/testing. These dependencies need to be updated together.

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Updates @nestjs/core from 10.4.15 to 11.1.17

Release notes

Sourced from @​nestjs/core's releases.

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #16506 fix(microservices): fix double callback when isdisposed or err is truthy (@​LhonRafaat)

Dependencies

• platform-express
  • #16507 fix(deps): update dependency multer to v2.1.1 (@​renovate[bot])

Committers: 2

• Lhon (@​LhonRafaat)
• Shahnoor Mujawar (@​shahnoormujawar)

v11.1.15

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in nestjs/nest#16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in nestjs/nest#16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in nestjs/nest#16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in nestjs/nest#16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in nestjs/nest#16474

New Contributors

• @​cuiweixie made their first contribution in nestjs/nest#16401
• @​StNekroman made their first contribution in nestjs/nest#16468

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

v11.1.14 (2026-02-17)

... (truncated)

Commits

• 447a373 chore(release): publish v11.1.17 release
• cbdf737 feat(core): auto run get middleware for head requests
• 315e698 chore(release): publish v11.1.16 release
• c9268ff Merge pull request #16493 from shahnoormujawar/fix/unknown-dependencies-messa...
• 6add3d6 chore(release): publish v11.1.15 release
• e5fc974 fix(core): refine unknown dependencies message token display
• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• db9494a perf(core): use set instead of array for module registry lookup
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 10.4.22 to 11.1.17

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #16506 fix(microservices): fix double callback when isdisposed or err is truthy (@​LhonRafaat)

Dependencies

• platform-express
  • #16507 fix(deps): update dependency multer to v2.1.1 (@​renovate[bot])

Committers: 2

• Lhon (@​LhonRafaat)
• Shahnoor Mujawar (@​shahnoormujawar)

v11.1.15

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in nestjs/nest#16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in nestjs/nest#16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in nestjs/nest#16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in nestjs/nest#16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in nestjs/nest#16474

New Contributors

• @​cuiweixie made their first contribution in nestjs/nest#16401
• @​StNekroman made their first contribution in nestjs/nest#16468

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

v11.1.14 (2026-02-17)

... (truncated)

Commits

• 447a373 chore(release): publish v11.1.17 release
• 315e698 chore(release): publish v11.1.16 release
• 24956b5 fix(deps): update dependency multer to v2.1.1
• 6add3d6 chore(release): publish v11.1.15 release
• 1c09faf fix(deps): update dependency multer to v2.1.0 [security]
• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• 58c761a fix(deps): update dependency cors to v2.8.6
• 96932ad chore(release): publish v11.1.12 release
• Additional commits viewable in compare view

Updates @nestjs/terminus from 10.2.3 to 11.1.1

Release notes

Sourced from @​nestjs/terminus's releases.

Release 11.1.1

11.1.1 (2026-02-18)

Bug Fixes

• use dependency injection to provide custom loggers (8d7226b), closes #2694, @​flovouin @​BrunnerLivio

Release 11.1.0

11.1.0 (2026-02-17)

Bug Fixes

• disallow using reserved keyword status for health indicators (303948f), closes #2682

Features

• add support for dynamic configuration with Terminus.forRootAsync (489904f), closes #2649
• infer health check result (4e59375)

Release 11.0.0

11.0.0 (2025-01-25)

Migration Guide

Features

• simplify custom health indicator creation (9f10a9b)
• upgrade to nestjs v11 (c2569df), closes #2570
• update dependencies

BREAKING CHANGES

• Drop support for Node 16 / 18

---

For users who have implemented a custom health indicator, an enhanced API is now available. However, the existing API will continue to function as-is without requiring any changes.

The new and improved HealthIndicatorService provides a streamlined way to indicate whether a health indicator is up or down.

Please note that the HealthIndicator and HealthCheckError classes have been marked as deprecated and are scheduled for removal in the next major release, version 12.0.0.

@Injectable()
export class DogHealthIndicator {
</tr></table> 

... (truncated)

Changelog

Sourced from @​nestjs/terminus's changelog.

Changelog

11.1.0 (2026-02-17)

Bug Fixes

• deps: update dependency @​grpc/grpc-js to v1.12.6 (7dd0d5f)
• deps: update dependency @​mikro-orm/nestjs to v6.1.0 (177fc8c)
• deps: update dependency @​mikro-orm/nestjs to v6.1.1 (8e3b253)
• deps: update dependency @​nestjs/mongoose to v11.0.1 (0af02b5)
• deps: update dependency @​nestjs/typeorm to v11 (687a4fe)
• deps: update dependency ioredis to v5.4.2 (47125b6)
• deps: update dependency mongoose to v8.10.1 (4b8e133)
• deps: update dependency mysql2 to v3.12.0 (0970ecd)
• deps: update dependency rxjs to v7.8.2 (4cceadb)
• deps: update dependency typeorm to v0.3.22 (b0e6662)
• deps: update mikro-orm monorepo to v6.4.5 (5ece0f8)
• deps: update nest monorepo (eb4cab2)
• deps: update nest monorepo (abd9ba8)
• deps: update nest monorepo to v11 (207b45d)
• deps: update nest monorepo to v11.0.11 (a36f951)
• deps: update nest monorepo to v11.0.9 (2865a5b)
• deps: update prisma monorepo to v6.3.0 (4c42699)
• deps: update prisma monorepo to v6.3.1 (1ed2ff0)
• disallow using reserved keyword status for health indicators (303948f), closes #2682

Features

• add support for dynamic configuration with Terminus.forRootAsync (489904f), closes #2649
• infer health check result (4e59375)

11.0.0 (2025-01-25)

11.0.0-beta.1 (2025-01-25)

Bug Fixes

• deps: update dependency @​grpc/proto-loader to v0.7.13 (bf08ece)
• deps: update dependency @​nestjs/typeorm to v10.0.2 (8430d1f)
• deps: update dependency mysql2 to v3.9.8 [security] (eae8679)
• deps: update dependency reflect-metadata to v0.2.2 (004d971)

Features

• update dependencies (969bfd7)

... (truncated)

Commits

• a5dc4a5 chore: release 1.11.1
• ff8dbcf Merge pull request #2696 from nestjs/next
• a5c030d chore: release 11.1.1-beta.1
• e45f528 chore: formatting
• eb3e234 chore: release 11.1.1-beta.0
• 8d7226b fix: use dependency injection to provide custom loggers
• 5a2647e chore(): release v11.1.0
• c9386ae Merge pull request #2621 from nestjs/renovate/mikro-orm-monorepo
• c6862f4 Merge pull request #2678 from nestjs/next
• f2a33b4 chore(deps): update mikro-orm monorepo to v6.6.7
• Additional commits viewable in compare view

Updates @nestjs/typeorm from 10.0.2 to 11.0.0

Release notes

Sourced from @​nestjs/typeorm's releases.

Release 11.0.0

• chore: remove deprecated keepConnectionAlive (d25d11a)
• chore(deps): update nest monorepo to v11 (31d765b)
• chore(deps): Use crypto.randomUUID() instead of uuid module (1f7e661)

Commits

• ce8095a chore(): release v11.0.0
• d25d11a chore: remove deprecated keepConnectionAlive
• 3eed059 Merge branch 'nikeee-master'
• d6885ba chore: resolve conflicts
• 2c011fa chore: upgrade eslint, update husky config
• 4134457 Merge pull request #2172 from nestjs/renovate/major-nest-monorepo
• f4dbfa4 chore(deps): update dependency lint-staged to v15.4.1 (#2173)
• 31d765b chore(deps): update nest monorepo to v11
• a208ec1 chore(deps): update dependency lint-staged to v15.4.0 (#2171)
• 7009437 chore(deps): update dependency @​types/node to v22.10.7 (#2170)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @nestjs/testing from 10.4.15 to 11.1.17

Release notes

Sourced from @​nestjs/testing's releases.

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #16506 fix(microservices): fix double callback when isdisposed or err is truthy (@​LhonRafaat)

Dependencies

• platform-express
  • #16507 fix(deps): update dependency multer to v2.1.1 (@​renovate[bot])

Committers: 2

• Lhon (@​LhonRafaat)
• Shahnoor Mujawar (@​shahnoormujawar)

v11.1.15

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in nestjs/nest#16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in nestjs/nest#16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in nestjs/nest#16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in nestjs/nest#16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in nestjs/nest#16474

New Contributors

• @​cuiweixie made their first contribution in nestjs/nest#16401
• @​StNekroman made their first contribution in nestjs/nest#16468

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

v11.1.14 (2026-02-17)

... (truncated)

Commits

• 447a373 chore(release): publish v11.1.17 release
• 315e698 chore(release): publish v11.1.16 release
• 6add3d6 chore(release): publish v11.1.15 release
• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• 96932ad chore(release): publish v11.1.12 release
• 585f55f chore: revert lerna version
• fef323b chore(release): publish v11.1.11 release
• de5e026 chore(@​nestjs) publish v11.1.10 release
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

package-lock.json changes

Summary

Status	Count
	3
	17
	9

Click to toggle table visibility

Name	Status	Previous	Current
@nestjs/core		10.4.15	11.1.17
@nestjs/platform-express		10.4.22	11.1.17
@nestjs/terminus		10.2.3	11.1.1
@nestjs/testing		10.4.15	11.1.17
@nestjs/typeorm		10.0.2	11.0.0
@nuxt/opencollective		-	0.4.1
@nuxtjs/opencollective		0.3.2	-
array-flatten		1.1.1	-
body-parser		1.20.4	2.2.2
consola		2.15.3	3.4.2
cors		2.8.5	2.8.6
debug		4.4.1	4.4.3
destroy		1.2.0	-
express		4.22.1	5.2.1
finalhandler		1.3.2	2.1.1
iconv-lite		0.4.24	0.7.2
is-promise		-	4.0.0
mkdirp		0.5.6	-
multer		2.0.2	2.1.1
node-fetch		2.6.12	-
path-to-regexp		3.3.0	8.3.0
raw-body		2.5.3	3.0.2
router		-	2.2.0
send		0.19.2	1.2.1
serve-static		1.16.3	2.2.1
tr46		0.0.3	-
uuid		9.0.1	-
webidl-conversions		3.0.1	-
whatwg-url		5.0.0	-

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	2.78s
✅ EDITORCONFIG	editorconfig-checker	2		0	0	0.03s
✅ JSON	jsonlint	2		0	0	0.45s
✅ JSON	npm-package-json-lint	yes		no	no	0.55s
✅ JSON	prettier	2	0	0	0	0.9s
✅ JSON	v8r	2		0	0	7.7s
❌ REPOSITORY	devskim	yes		1	no	2.81s
✅ REPOSITORY	dustilock	yes		no	no	1.01s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	grype	yes		6	no	35.86s
❌ REPOSITORY	kics	yes		41	no	5.63s
❌ REPOSITORY	kingfisher	yes		1	no	4.58s
❌ REPOSITORY	secretlint	yes		1	no	1.48s
✅ REPOSITORY	syft	yes		no	no	2.52s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.85s
✅ REPOSITORY	trufflehog	yes		no	no	4.36s
❌ SPELL	cspell	3		7	0	4.75s
❌ SPELL	lychee	2		1	0	2.72s

Detailed Issues

❌ SPELL / cspell - 7 errors

package.json:4:57      - Unknown word (Realworld)  -- authentication with Passport. Realworld example",
	 Suggestions: [Reword, realtor, Realtor, Realtors, Rearward]
package.json:5:29      - Unknown word (Suncin)     -- author": "Jaime Leonardo Suncin Cruz <leosuncin@gmail
	 Suggestions: [sunni, Sunni, Sunn, Sulci, Suncor]
package.json:52:7      - Unknown word (devoxa)     -- "@devoxa/integresql-client":
	 Suggestions: [deva, detox, devon, debora, devoid]
package.json:52:14     - Unknown word (integresql) -- "@devoxa/integresql-client": "^2.0.0",
	 Suggestions: [integers, integral, integrys, interest, interests]
package.json:54:7      - Unknown word (jackfranklin) -- "@jackfranklin/test-data-bot": "^2
	 Suggestions: []
package.json:83:6      - Unknown word (ttypescript)  -- "ttypescript": "^1.5.13",
	 Suggestions: [typescript, TypeScript, typescripts, typescript's]
package.json:106:22    - Unknown word (ttypescript)  -- "compiler": "ttypescript",
	 Suggestions: [typescript, TypeScript, typescripts, typescript's]
CSpell: Files checked: 2, Issues found: 7 in 1 file.


You can skip this misspellings by defining the following .cspell.json file at the root of your repository
Of course, please correct real typos before :)

{
    "version": "0.2",
    "language": "en",
    "ignorePaths": [
        "**/node_modules/**",
        "**/vscode-extension/**",
        "**/.git/**",
        "**/.pnpm-lock.json",
        ".vscode",
        "package-lock.json",
        "megalinter-reports"
    ],
    "words": [
        "Realworld",
        "Suncin",
        "devoxa",
        "integresql",
        "jackfranklin",
        "ttypescript"
    ]
}


You can also copy-paste megalinter-reports/.cspell.json at the root of your repository

❌ REPOSITORY / devskim - 1 error

":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"stress-test/main.js"},"region":{"startLine":14,"startColumn":42,"endLine":14,"endColumn":51,"charOffset":538,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"javascript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/todo/interceptors/pagination.interceptor.spec.ts"},"region":{"startLine":76,"startColumn":48,"endLine":76,"endColumn":57,"charOffset":2585,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/todo/interceptors/pagination.interceptor.spec.ts"},"region":{"startLine":72,"startColumn":48,"endLine":72,"endColumn":57,"charOffset":2456,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/todo/interceptors/pagination.interceptor.spec.ts"},"region":{"startLine":67,"startColumn":48,"endLine":67,"endColumn":57,"charOffset":2217,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/todo/interceptors/pagination.interceptor.spec.ts"},"region":{"startLine":64,"startColumn":49,"endLine":64,"endColumn":58,"charOffset":2102,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/todo/interceptors/pagination.interceptor.spec.ts"},"region":{"startLine":39,"startColumn":17,"endLine":39,"endColumn":26,"charOffset":1296,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/auth.e2e-spec.ts"},"region":{"startLine":22,"startColumn":48,"endLine":22,"endColumn":57,"charOffset":844,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/todo/interceptors/pagination.interceptor.ts"},"region":{"startLine":53,"startColumn":32,"endLine":53,"endColumn":41,"charOffset":1607,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/profile.e2e-spec.ts"},"region":{"startLine":20,"startColumn":48,"endLine":20,"endColumn":57,"charOffset":762,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"typescript"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"docker-compose.yml"},"region":{"startLine":27,"startColumn":19,"endLine":27,"endColumn":28,"charOffset":602,"charLength":9,"snippet":{"text":"127.0.0.1","rendered":{"text":"127.0.0.1","markdown":"`127.0.0.1`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 5714 characters out of 11545)

❌ REPOSITORY / grype - 6 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME            INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
glob            10.4.5     10.5.0    npm   GHSA-5j98-mcp5-4vw2  High      < 0.1% (13th)  < 0.1  
path-to-regexp  8.3.0      8.4.0     npm   GHSA-j3q9-mxjg-w52f  High      < 0.1% (12th)  < 0.1  
file-type       20.4.1     21.3.2    npm   GHSA-j47w-4g3g-c36v  Medium    < 0.1% (15th)  < 0.1  
path-to-regexp  8.3.0      8.4.0     npm   GHSA-27v5-c462-wpq7  Medium    < 0.1% (12th)  < 0.1  
file-type       20.4.1     21.3.1    npm   GHSA-5v7r-6r5c-r473  Medium    < 0.1% (7th)   < 0.1  
diff            4.0.2      4.0.4     npm   GHSA-73rr-hh4g-fpgx  Low       < 0.1% (5th)   < 0.1
[0035] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / kics - 41 errors

ports:
		042:       - '5000:5000'


Container Capabilities Unrestricted, Severity: MEDIUM, Results: 3
Description: Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.
Platform: DockerCompose
CWE: 400
Risk Score: 6.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d

	[1]: docker-compose.yml:2

		001: services:
		002:   postgres:
		003:     image: postgres:14


	[2]: docker-compose.yml:29

		028:       interval: 5s
		029:   integresql:
		030:     image: allaboutapps/integresql


	[3]: docker-compose.yml:14

		013:       retries: 5
		014:   pgweb:
		015:     image: sosedoff/pgweb


Passwords And Secrets - Password in URL, Severity: HIGH, Results: 6
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/unit-test.yml:23

		022:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		023:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:5432/authentication
		024:           ALLOWED_ORIGINS: '*'


	[2]: .github/workflows/e2e-test.yml:50

		049:           POSTGRES_DB: nestjs
		050:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/nestjs
		051:           ALLOWED_ORIGINS: '*'


	[3]: .github/workflows/e2e-test.yml:88

		087:           APP_SECRET: <SECRET-MASKED-ON-PURPOSE>
		088:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/authentication
		089:           ALLOWED_ORIGINS: '*'


	[4]: .github/workflows/e2e-test.yml:81

		080:         env:
		081:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/authentication
		082:       - name: Run the backend


	[5]: .github/workflows/stress-test.yml:47

		046:           APP_SECRET: <SECRET-MASKED-ON-PURPOSE>
		047:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/embassy
		048:           ALLOWED_ORIGINS: '*'


	[6]: .github/workflows/stress-test.yml:40

		039:         env:
		040:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/embassy
		041:       - name: Run the server


Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 4
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/unit-test.yml:19

		018:           PORT: 3000
		019:           APP_SECRET: <SECRET-MASKED-ON-PURPOSE>
		020:           POSTGRES_DB: authentication


	[2]: .github/workflows/e2e-test.yml:87

		086:           NODE_ENV: production
		087:           APP_SECRET: <SECRET-MASKED-ON-PURPOSE>
		088:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/authentication


	[3]: .github/workflows/e2e-test.yml:46

		045:           PORT: 3000
		046:           APP_SECRET: <SECRET-MASKED-ON-PURPOSE>
		047:           POSTGRES_USER: user


	[4]: .github/workflows/stress-test.yml:46

		045:           NODE_ENV: production
		046:           APP_SECRET: <SECRET-MASKED-ON-PURPOSE>
		047:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/embassy


Passwords And Secrets - Generic Password, Severity: HIGH, Results: 6
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/e2e-test.yml:14

		013:           POSTGRES_USER: user
		014:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		015:           POSTGRES_DB: nestjs


	[2]: .github/workflows/stress-test.yml:17

		016:           POSTGRES_USER: tighten
		017:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		018:           POSTGRES_DB: embassy


	[3]: .github/workflows/e2e-test.yml:24

		023:           INTEGRESQL_PGUSER: user
		024:           INTEGRESQL_PGPASSWORD: <SECRET-MASKED-ON-PURPOSE>
		025:           INTEGRESQL_PGDATABASE: nestjs


	[4]: .github/workflows/unit-test.yml:22

		021:           POSTGRES_USER: admin
		022:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		023:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:5432/authentication


	[5]: .github/workflows/e2e-test.yml:62

		061:           POSTGRES_USER: admin
		062:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		063:           POSTGRES_DB: authentication


	[6]: .github/workflows/e2e-test.yml:48

		047:           POSTGRES_USER: user
		048:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		049:           POSTGRES_DB: nestjs


Missing User Instruction, Severity: HIGH, Results: 1
Description: Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
Platform: Dockerfile
CWE: 250
Risk Score: 7.7
Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f

	[1]: Dockerfile:21

		020: 
		021: FROM gcr.io/distroless/nodejs:18 AS app
		022: 



Results Summary:
CRITICAL: 0
HIGH: 17
MEDIUM: 10
LOW: 13
INFO: 1
TOTAL: 41

A new version 'v2.1.20' of KICS is available, please consider updating

(Truncated to last 5714 characters out of 13606)

❌ REPOSITORY / kingfisher - 1 error

New Kingfisher release 1.92.0 available
 INFO kingfisher: Launching with 8 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 453 rules
 INFO kingfisher::scanner::runner: Starting secret validation phase...
POSTGRES URL WITH HARDCODED PASSWORD => [KINGFISHER.POSTGRES.1]
 |Finding.......: [REDACTED:6a265ea1]
 |Fingerprint...: 16688131545332949422
 |Confidence....: medium
 |Entropy.......: 4.37
 |Validation....: Inactive Credential
 |__Response....: Postgres connection failed.
 |Language......: YAML
 |Line Num......: 23
 |Path..........: ./.github/workflows/unit-test.yml


==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 1
 |__Skipped Validations.......: 0
 |Rules Applied...............: 453
 |__Blobs Scanned.............: 191
 |Bytes Scanned...............: 7.42 MiB
 |Scan Duration...............: 137ms 5us 449ns
 |Scan Date...................: 2026-04-02 07:24:47 +00:00
 |Kingfisher Version..........: 1.84.0
 |__Latest Version............: 1.92.0
New Kingfisher release 1.92.0 available

❌ SPELL / lychee - 1 error

[403] https://www.patreon.com/feross | Network error: Forbidden
📝 Summary
---------------------
🔍 Total..........944
✅ Successful.....942
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........1
❓ Unknown..........0
🚫 Errors...........1

Errors in package-lock.json
[403] https://www.patreon.com/feross | Network error: Forbidden

❌ REPOSITORY / secretlint - 1 error

.github/workflows/e2e-test.yml
  81:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *****************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string
  88:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *****************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

.github/workflows/stress-test.yml
  40:24  error  [PostgreSQLConnection] found PostgreSQL connection string: ***************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string
  47:24  error  [PostgreSQLConnection] found PostgreSQL connection string: ***************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

.github/workflows/unit-test.yml
  23:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *********************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 5 problems (5 errors, 0 warnings, 0 infos)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.