Skip to content

Bump axios, @nestjs/common, @nestjs/core, @nestjs/graphql, @nestjs/platform-express, @nestjs/testing and wait-on in /nest-graph-ql#476

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/nest-graph-ql/multi-5b5972aba4
Open

Bump axios, @nestjs/common, @nestjs/core, @nestjs/graphql, @nestjs/platform-express, @nestjs/testing and wait-on in /nest-graph-ql#476
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/nest-graph-ql/multi-5b5972aba4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Bumps axios to 1.16.1 and updates ancestor dependencies axios, @nestjs/common, @nestjs/core, @nestjs/graphql, @nestjs/platform-express, @nestjs/testing and wait-on. These dependencies need to be updated together.

Updates axios from 0.24.0 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

  • Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
  • Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
  • CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

  • Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
  • Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
  • XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
  • Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
  • Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
  • URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

  • Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
  • composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
  • AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
  • Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
  • Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
  • Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

  • Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
  • Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
  • CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

  • Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
  • Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
  • XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
  • Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
  • Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
  • URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

  • Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
  • composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
  • AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
  • Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
  • Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
  • Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Commits
  • 1337d6b chore(release): prepare release 1.16.1 (#10877)
  • 858a790 fix: remove all caches (#10882)
  • 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
  • 847d89b fix: support URL object as config.url input (#10866)
  • 4094886 fix(progress): guard malformed XHR upload events (#10868)
  • 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
  • 64e1095 chore: update PR and issue template to use h2 (#10865)
  • 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
  • c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
  • caa00a9 fix: https data in cleartext to proxy (#10858)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @nestjs/common from 8.2.6 to 11.1.24

Release notes

Sourced from @​nestjs/common's releases.

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core
    • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

v11.1.22 (2026-05-21)

Bug fixes

Enhancements

Committers: 2

v11.1.21 (2026-05-14)

Bug fixes

Committers: 1

... (truncated)

Commits
  • d8a0ab8 chore(release): publish v11.1.24 release
  • 2dccece chore: update readmes
  • b8be8c1 chore(release): publish v11.1.23 release
  • 801c46f chore(release): publish v11.1.22 release
  • 983dd52 chore(release): publish v11.1.21 release
  • a0b0139 chore: update readme
  • 7caeb3f chore(release): publish v11.1.20 release
  • f6a3c2f fix(docs): update some old links in docs
  • 4b6420b Merge pull request #16902 from QusaiAlbonni/fix/filetype-validator-buffer-mes...
  • 33515ed fix(common): improve missing buffer error message in file type validator
  • Additional commits viewable in compare view

Updates @nestjs/core from 8.2.6 to 11.1.24

Release notes

Sourced from @​nestjs/core's releases.

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core
    • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

v11.1.22 (2026-05-21)

Bug fixes

Enhancements

Committers: 2

v11.1.21 (2026-05-14)

Bug fixes

Committers: 1

... (truncated)

Commits
  • d8a0ab8 chore(release): publish v11.1.24 release
  • 3ed595e fix(core): keep dependency parent registry internal
  • 1b8c8b0 fix(core): propagate dependency tree cache resets
  • 4c07009 fix(core): reset dependency tree cache on metadata changes
  • ff95b3f Merge pull request #16997 from hbinhng/feat/warn-late-use-websocket-adapter
  • 2dccece chore: update readmes
  • b8be8c1 chore(release): publish v11.1.23 release
  • 5de10df fix: should skip transient providers for snapshots
  • d956db4 feat(core): warn on late websocket adapter registration
  • 801c46f chore(release): publish v11.1.22 release
  • Additional commits viewable in compare view

Updates @nestjs/graphql from 9.1.2 to 13.4.2

Release notes

Sourced from @​nestjs/graphql's releases.

v13.4.2 (2026-05-21)

Bug fixes

  • graphql
    • #4007 fix(graphql): preserve PickType fields for dual-decorated inputs (@​yudin-s)

Committers: 1

v13.4.1

13.4.1 (2026-05-19)

Bug fixes

  • apollo
    • #3999 fix(apollo): add granular control over HTTP status preservation for execution errors (@​thiagojv)
    • #3969 fix(@​nestjs/apollo): expose schema transform hook on gateway driver (@​maruthang)
  • graphql
    • #3970 fix(@​nestjs/graphql): run plugin refresh hooks in registration order (@​maruthang)

Committers: 3

v13.4.0

13.4.0 (2026-04-30)

Features

  • apollo, graphql, mercurius
    • #3811 feat(graphql): Add registerIn option for module-scoped type filtering (@​joe-re)

Bug fixes

  • graphql
  • apollo, graphql

Enhancements

  • graphql
    • #3963 fix(@​nestjs/graphql): validate registerEnumType/createUnionType options eagerly (@​yogeshwaran-c)

Dependencies

Committers: 3

... (truncated)

Commits
  • c639ef8 v13.4.2
  • ac5ed8b Merge pull request #4007 from yudin-s/fix/picktype-dual-decorated-input
  • 0998d21 Merge pull request #4005 from nestjs/dependabot/npm_and_yarn/apollo/federatio...
  • 9ce30f8 fix(graphql): preserve PickType fields for dual-decorated inputs
  • 9001773 chore(deps): update dependency vitest to v4.1.7 (#4004)
  • 5380a0e chore(deps): bump @​apollo/federation-internals from 2.11.2 to 2.14.0
  • 6e939d3 Merge pull request #4002 from nestjs/dependabot/npm_and_yarn/fastify/static-9...
  • 9b1fdd2 Merge pull request #4003 from nestjs/dependabot/npm_and_yarn/ws-8.20.1
  • 764efbc chore: update serialized graph snapshot
  • f57c31b chore(deps): bump ws from 8.18.0 to 8.20.1
  • Additional commits viewable in compare view

Updates @nestjs/platform-express from 8.2.6 to 11.1.24

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core
    • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

v11.1.22 (2026-05-21)

Bug fixes

Enhancements

Committers: 2

v11.1.21 (2026-05-14)

Bug fixes

Committers: 1

... (truncated)

Commits
  • d8a0ab8 chore(release): publish v11.1.24 release
  • 2dccece chore: update readmes
  • b8be8c1 chore(release): publish v11.1.23 release
  • 801c46f chore(release): publish v11.1.22 release
  • 983dd52 chore(release): publish v11.1.21 release
  • a0b0139 chore: update readme
  • 7caeb3f chore(release): publish v11.1.20 release
  • f6a3c2f fix(docs): update some old links in docs
  • 5e33ecf feat: add MulterOptions and MulterField interfaces for express platform confi...
  • 6730995 chore(release): publish v11.1.19 release
  • Additional commits viewable in compare view

Updates @nestjs/testing from 8.2.6 to 11.1.24

Release notes

Sourced from @​nestjs/testing's releases.

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core
    • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

v11.1.22 (2026-05-21)

Bug fixes

Enhancements

Committers: 2

v11.1.21 (2026-05-14)

Bug fixes

Committers: 1

... (truncated)

Commits
  • d8a0ab8 chore(release): publish v11.1.24 release
  • 2dccece chore: update readmes
  • b8be8c1 chore(release): publish v11.1.23 release
  • 801c46f chore(release): publish v11.1.22 release
  • 983dd52 chore(release): publish v11.1.21 release
  • a0b0139 chore: update readme
  • 7caeb3f chore(release): publish v11.1.20 release
  • 2e290c6 fix(core): fix deeply nested transient providers resolution
  • f6a3c2f fix(docs): update some old links in docs
  • 6730995 chore(release): publish v11.1.19 release
  • Additional commits viewable in compare view

Updates wait-on from 6.0.0 to 9.0.10

Release notes

Sourced from wait-on's releases.

v9.0.10

Cleaned up unnecessary files from npm published package, added code coverage

Removed:

  • .fastembed_cache
  • .github
  • .nyc_output
  • coverage
  • .editorconfig
  • .nycrc.json
  • .prettierrc.js
  • eslint.config.mjs

Increased code coverage

Thanks @​aarongoldenthal

v9.0.6

Update minor deps for security vulnerabilities

  • axios
    • follow-redirects
  • joi

v9.0.5

Update minor dependencies and npm audit fixes

v9.0.4

Updated patch dependencies including axios and lodash

v9.0.3

Update to jsdoc. Thanks @​westonruter

Minor dependencies updated: eslint, mocha, axios

v9.0.2

Replaced unmaintained expect-legacy package with chai. Thanks @​bdkopen

v9.0.1

Update minor deps:

  • axios
  • eslint

v9.0.0

Updating major version to align with removal of unspported versions of Node.js

wait-on will continue to support the active and maintained releases listed at https://nodejs.org/en/about/previous-releases which currently is 20, 22, 24.

There are no other breaking changes other than changing the versions of Node.js that are supported.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump axios, @nestjs/common, @nestjs/core, @nestjs/graphql, @nestjs/pl…
25cb480 
…atform-express, @nestjs/testing and wait-on

Bumps [axios](https://github.com/axios/axios) to 1.16.1 and updates ancestor dependencies [axios](https://github.com/axios/axios), [@nestjs/common](https://github.com/nestjs/nest/tree/HEAD/packages/common), [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core), [@nestjs/graphql](https://github.com/nestjs/graphql), [@nestjs/platform-express](https://github.com/nestjs/nest/tree/HEAD/packages/platform-express), [@nestjs/testing](https://github.com/nestjs/nest/tree/HEAD/packages/testing) and [wait-on](https://github.com/jeffbski/wait-on). These dependencies need to be updated together.


Updates `axios` from 0.24.0 to 1.16.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.24.0...v1.16.1)

Updates `@nestjs/common` from 8.2.6 to 11.1.24
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.24/packages/common)

Updates `@nestjs/core` from 8.2.6 to 11.1.24
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.24/packages/core)

Updates `@nestjs/graphql` from 9.1.2 to 13.4.2
- [Release notes](https://github.com/nestjs/graphql/releases)
- [Commits](nestjs/graphql@9.1.2...v13.4.2)

Updates `@nestjs/platform-express` from 8.2.6 to 11.1.24
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.24/packages/platform-express)

Updates `@nestjs/testing` from 8.2.6 to 11.1.24
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.24/packages/testing)

Updates `wait-on` from 6.0.0 to 9.0.10
- [Release notes](https://github.com/jeffbski/wait-on/releases)
- [Commits](jeffbski/wait-on@v6.0.0...v9.0.10)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.1
  dependency-type: indirect
- dependency-name: "@nestjs/common"
  dependency-version: 11.1.24
  dependency-type: direct:production
- dependency-name: "@nestjs/core"
  dependency-version: 11.1.24
  dependency-type: direct:production
- dependency-name: "@nestjs/graphql"
  dependency-version: 13.4.2
  dependency-type: direct:production
- dependency-name: "@nestjs/platform-express"
  dependency-version: 11.1.24
  dependency-type: direct:production
- dependency-name: "@nestjs/testing"
  dependency-version: 11.1.24
  dependency-type: direct:development
- dependency-name: wait-on
  dependency-version: 9.0.10
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants