🚨 [security] Update @nestjs/microservices 11.1.6 → 11.1.19 (patch)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​nestjs/microservices (11.1.6 → 11.1.19) · Repo · Changelog

Security Advisories 🚨

🚨 Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)

Impact

Attacker sends many small, valid JSON messages in one TCP frame
→ handleData() recurses once per message; buffer shrinks each call
→ maxBufferSize is never reached; call stack overflows instead
→ A ~47 KB payload is sufficient to trigger RangeError

Patches

Fixed in @nestjs/microservices@11.1.19

References

Discovered by https://github.com/hwpark6804-gif

Release Notes

11.1.18

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@JakobStaudinger)
  • #16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@dependabot[bot])

Committers: 6

• Ankit San (@ankitbelal)
• Jakob Staudinger (@JakobStaudinger)
• Kamil Mysliwiec (@kamilmysliwiec)
• Krishna Chaitanya (@Krishnachaitanyakc)
• MK (@wwenrr)
• youmoo (@Youmoo)

11.1.17

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) cbdf737 (@kamilmysliwiec)

Dependencies

• common
  • #16567 fix(deps): update dependency file-type to v21.3.2 (@renovate[bot])
• platform-fastify
  • #16533 fix(deps): update dependency fastify to v5.8.2 (@renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@Rohan5commit)
• Vasil Chomakov (@vchomakov)
• Kamil Mysliwiec (@kamilmysliwiec)

11.1.16

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #16506 fix(microservices): fix double callback when isdisposed or err is truthy (@LhonRafaat)

Dependencies

• platform-express
  • #16507 fix(deps): update dependency multer to v2.1.1 (@renovate[bot])

Committers: 2

• Lhon (@LhonRafaat)
• Shahnoor Mujawar (@shahnoormujawar)

11.1.15

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @cuiweixie in #16401
• fix(microservices): introuduce max pattern depth and object complexity by @kamilmysliwiec in #16402
• chore(@nestjs/core): allow override for initializeWildcardHandlersIfE… by @StNekroman in #16468
• chore(deps): update dependency @fastify/middie to v9.2.0 [security] by @renovate[bot] in #16472
• fix(deps): update dependency multer to v2.1.0 [security] by @renovate[bot] in #16474

New Contributors

• @cuiweixie made their first contribution in #16401
• @StNekroman made their first contribution in #16468

Full Changelog: v11.1.14...v11.1.15

11.1.14

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #16384 fix(fastify): fastify middleware bypass cve (@kamilmysliwiec)
• common
  • #16307 fix: logger print invalid context when no stack trace provided (@JulienDuf)

Enhancements

• common
  • #16314 fix(common): change requestOrigin type (@SpencerKaiser)

Committers: 5

• Julien Dufresne (@JulienDuf)
• Kamil Mysliwiec (@kamilmysliwiec)
• Mykhailo Skrypsky (@mixator)
• Spencer Kaiser (@SpencerKaiser)
• 조수민 (@suuuuuuminnnnnn)

11.1.13

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@chojs23)

Enhancements

• microservices
  • #16286 feat(microservices): support per-handler qos in mqtt (@suuuuuuminnnnnn)
  • #16262 Feat/microservices configurable max buffer size (@jobnow)
• common
  • #16202 fix(common): exclude built-in primitives from strip proto keys (@som14062005)

Dependencies

• platform-fastify
  • #16282 fix(deps): update dependency fastify to v5.7.4 (@renovate[bot])
• platform-express
  • #16241 fix(deps): update dependency cors to v2.8.6 (@renovate[bot])

Committers: 6

• Lee Donghyun (@devizi0)
• Mykhailo Skrypsky (@mixator)
• Neo (@chojs23)
• Praveen Somasundaram (@som14062005)
• Ricardo Gomes (@jobnow)
• 조수민 (@suuuuuuminnnnnn)

11.1.12

v11.1.12 (2026-01-15)

Bug fixes

• common
  • #16187 fix(common): regression in loading file-type under Windows OS (@iamkanguk97)

Dependencies

• platform-ws
  • #16161 chore(deps): bump ws from 8.18.3 to 8.19.0 (@dependabot[bot])
• common
  • #16155 fix(deps): update dependency file-type to v21.3.0 (@renovate[bot])
• platform-fastify
  • #16154 fix(deps): update dependency find-my-way to v9.4.0 (@renovate[bot])

Committers: 3

• Antonio Tripodi (@Tony133)
• KANGUK LEE (@iamkanguk97)
• @miso-kyoungminkim

11.1.11

v11.1.11 (2025-12-29)

Bug fixes

• platform-fastify
  • #16135 fix(platform-fastify): middie bypassing through decoded chars (@kamilmysliwiec)
• core
  • #16133 fix(core): add missing catch handler for forward-ref provider resolution (@coti-z)

Dependencies

• platform-socket.io
  • #16125 fix(deps): update dependency socket.io to v4.8.3 (@renovate[bot])
  • #16114 chore(deps): bump socket.io from 4.8.1 to 4.8.2 (@dependabot[bot])
• platform-fastify
  • #16130 fix(deps): update dependency @fastify/static to v9 (@renovate[bot])
• common
  • #16127 chore(deps): bump file-type from 21.1.1 to 21.2.0 (@dependabot[bot])

Committers: 3

• Himanshu Gupta (@manureja64)
• Kamil Mysliwiec (@kamilmysliwiec)
• coti (@coti-z)

11.1.10

v11.1.10 (2025-12-22)

Bug fixes

• core
  • #16098 fix(core): instantiate nested transient providers in static context (@mag123c)
  • #16005 fix(core): resolve all providers when using resolve() with each option (@malkovitc)
• microservices
  • #16072 fix(microservices): fix grpc stream method return type (@shash-hq)
• common
  • #16077 fix(common): resolve file-type path explicitly (@shash-hq)
  • #16013 fix(common): Support fallbackToMimetype without buffer (@chenjieya)

Enhancements

• common
  • #16100 fix(common): improve error handling in FileTypeValidator (@malkovitc)
  • #16060 feat(common): add message property to file type validator (@Jo-Minseok)
  • #16079 fix: enhance ValidationPipe (@liu-jin-yi)
• core
  • #15721 feat(core): add Promise support for SSE handlers (@pythonjsgo)
• microservices
  • #15975 feat(microservices): add keepalive support for server side (@OlegStrokan)
• common, core
  • #15986 feat(core): add option for async logger compatibility (@mag123c)

Dependencies

• platform-fastify
  • #16041 fix(deps): update dependency @fastify/cors to v11.2.0 (@renovate[bot])
• platform-express
  • #16002 fix(deps): update dependency express to v5.2.1 (@renovate[bot])
• common
  • #15948 chore(deps): bump file-type from 21.1.0 to 21.1.1 (@dependabot[bot])

Committers: 11

• Alexander (@pythonjsgo)
• J_Coder (@Jo-Minseok)
• Luke Son (@KAPUIST)
• Oleh Strokan (@OlegStrokan)
• Praveen Somasundaram (@som14062005)
• Shashank (@shash-hq)
• @chenjieya
• @giorgikakauridze
• @mag123c
• chernomortsev evgeny (@malkovitc)
• liu-jin-yi (@liu-jin-yi)

11.1.9

v11.1.9 (2025-11-14)

Bug fixes

• core
  • #15865 fix(core): make get() throw for implicitly request-scoped trees (@JoeNutt)

Enhancements

• common
  • #15863 feat(common): add method options to @sse decorator (@TomerSteinberg)

Dependencies

• platform-fastify
  • #15899 chore(deps): bump fastify from 5.6.1 to 5.6.2 (@dependabot[bot])

Committers: 4

• Rami (@JoeNutt)
• Rhynel Algopera (@dev-rhynel)
• Tomer Steinberg (@TomerSteinberg)
• WuMingDao (@WuMingDao)

11.1.8

v11.1.8 (2025-10-27)

Bug fixes

• core
  • #15815 fix(core): ensure nested transient provider isolation (@mag123c)
• platform-fastify
  • #15831 fix(fastify): Migrate fastify top-level options to routerOptions (@kim-sung-jee)

Committers: 2

• JaeHo Jang (@mag123c)
• Seongjee Kim (@kim-sung-jee)

11.1.7

v11.1.7 (2025-10-21)

Bug fixes

• microservices
  • #15747 Fix/rmq microservice fanout bind (@slon2015)
• platform-fastify
  • #15732 fix: correct parameter type in RouteConstraints decorator (@thedv91)
• core
  • #15571 fix(core): skip lifecycle hooks for non-instantiated transient services (@mag123c)
• common
  • #15577 Add color allowance check to console logger options (@kerryChen95)

Enhancements

• common, platform-socket.io, websockets
  • #15543 feat(websockets): allow manual acknowledgement handling with @ack() decorator (@kim-sung-jee)
• common
  • #15705 fix(core): resolve extras in configurable module builder async methods (@mag123c)
• common, core
  • #15503 feat(common): add force-console option to console logger (@mag123c)
• core
  • #15588 fix(core): improve dependency resolution error messages (@at7211)
• microservices
  • #15598 feat(errors): add InvalidTcpDataReceptionException for handling TCP receive errors​ (@ghyghoo8)

Dependencies

• platform-fastify
  • #15664 chore(deps): bump fastify to 5.6.1 (@dependabot[bot])
• core, platform-express, platform-fastify
  • #15622 fix(deps): update dependency path-to-regexp to v8.3.0 (@renovate[bot])
• common
  • #15566 chore(deps): bump load-esm from 1.0.2 to 1.0.3 (@dependabot[bot])

Committers: 9

• Harry (@thedv91)
• JaeHo Jang (@mag123c)
• Jay-Chou (@at7211)
• Kerry (@kerryChen95)
• Micael Levi L. Cavalcante (@micalevisk)
• Seongjee Kim (@kim-sung-jee)
• SerafimGerasimov (@slon2015)
• @Olexandr88
• ghy (@ghyghoo8)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3e29676

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[depfu]

Closing because this update has already been applied