Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.
Release Notes
nestjs/nest
### [`v9.0.5`](https://togithub.com/nestjs/nest/releases/tag/v9.0.5)
[Compare Source](https://togithub.com/nestjs/nest/compare/v9.0.4...v9.0.5)
#### v9.0.5 (2022-07-20)
##### Bug fixes
- `common`, `platform-express`
- [#9819](https://togithub.com/nestjs/nest/pull/9819) fix: use pipeline over stream.pipe ([@jmcdo29](https://togithub.com/jmcdo29))
##### Enhancements
- `microservices`
- [#9798](https://togithub.com/nestjs/nest/pull/9798) feat(microservices): add noAssert option for RMQ connection ([@frankmangone](https://togithub.com/frankmangone))
- [#9954](https://togithub.com/nestjs/nest/pull/9954) feat(microservices): add Kafka heartbeat callback to KafkaContext ([@kosh-b](https://togithub.com/kosh-b))
- `platform-express`, `platform-fastify`
- [#9926](https://togithub.com/nestjs/nest/pull/9926) fix(express,fastify): raw body for urlencoded requests ([@tolgap](https://togithub.com/tolgap))
##### Dependencies
- Other
- [#9959](https://togithub.com/nestjs/nest/pull/9959) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/30-event-emitter ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9960](https://togithub.com/nestjs/nest/pull/9960) chore(deps): bump terser from 5.14.1 to 5.14.2 in /sample/32-graphql-federation-schema-first/users-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9961](https://togithub.com/nestjs/nest/pull/9961) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/gateway ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9962](https://togithub.com/nestjs/nest/pull/9962) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/users-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9963](https://togithub.com/nestjs/nest/pull/9963) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/32-graphql-federation-schema-first/posts-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9964](https://togithub.com/nestjs/nest/pull/9964) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/32-graphql-federation-schema-first/gateway ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9965](https://togithub.com/nestjs/nest/pull/9965) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/29-file-upload ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9966](https://togithub.com/nestjs/nest/pull/9966) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/28-sse ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9967](https://togithub.com/nestjs/nest/pull/9967) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/posts-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9951](https://togithub.com/nestjs/nest/pull/9951) chore(deps-dev): bump mongoose from 6.4.4 to 6.4.5 ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- [#9952](https://togithub.com/nestjs/nest/pull/9952) chore(deps-dev): bump concurrently from 7.2.2 to 7.3.0 ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
- `platform-fastify`
- [#9950](https://togithub.com/nestjs/nest/pull/9950) chore(deps): bump light-my-request from 5.1.0 to 5.2.0 ([@dependabot\[bot\]](https://togithub.com/apps/dependabot))
##### Committers: 4
- Franco Mangone ([@frankmangone](https://togithub.com/frankmangone))
- Jay McDoniel ([@jmcdo29](https://togithub.com/jmcdo29))
- Tolga Paksoy ([@tolgap](https://togithub.com/tolgap))
- [@kosh-b](https://togithub.com/kosh-b)
### [`v9.0.4`](https://togithub.com/nestjs/nest/compare/v9.0.3...v9.0.4)
[Compare Source](https://togithub.com/nestjs/nest/compare/v9.0.3...v9.0.4)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
9.0.3->9.0.5GitHub Vulnerability Alerts
CVE-2023-26108
Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.
Release Notes
nestjs/nest
### [`v9.0.5`](https://togithub.com/nestjs/nest/releases/tag/v9.0.5) [Compare Source](https://togithub.com/nestjs/nest/compare/v9.0.4...v9.0.5) #### v9.0.5 (2022-07-20) ##### Bug fixes - `common`, `platform-express` - [#9819](https://togithub.com/nestjs/nest/pull/9819) fix: use pipeline over stream.pipe ([@jmcdo29](https://togithub.com/jmcdo29)) ##### Enhancements - `microservices` - [#9798](https://togithub.com/nestjs/nest/pull/9798) feat(microservices): add noAssert option for RMQ connection ([@frankmangone](https://togithub.com/frankmangone)) - [#9954](https://togithub.com/nestjs/nest/pull/9954) feat(microservices): add Kafka heartbeat callback to KafkaContext ([@kosh-b](https://togithub.com/kosh-b)) - `platform-express`, `platform-fastify` - [#9926](https://togithub.com/nestjs/nest/pull/9926) fix(express,fastify): raw body for urlencoded requests ([@tolgap](https://togithub.com/tolgap)) ##### Dependencies - Other - [#9959](https://togithub.com/nestjs/nest/pull/9959) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/30-event-emitter ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9960](https://togithub.com/nestjs/nest/pull/9960) chore(deps): bump terser from 5.14.1 to 5.14.2 in /sample/32-graphql-federation-schema-first/users-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9961](https://togithub.com/nestjs/nest/pull/9961) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/gateway ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9962](https://togithub.com/nestjs/nest/pull/9962) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/users-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9963](https://togithub.com/nestjs/nest/pull/9963) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/32-graphql-federation-schema-first/posts-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9964](https://togithub.com/nestjs/nest/pull/9964) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/32-graphql-federation-schema-first/gateway ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9965](https://togithub.com/nestjs/nest/pull/9965) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/29-file-upload ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9966](https://togithub.com/nestjs/nest/pull/9966) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/28-sse ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9967](https://togithub.com/nestjs/nest/pull/9967) chore(deps): bump terser from 5.10.0 to 5.14.2 in /sample/31-graphql-federation-code-first/posts-application ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9951](https://togithub.com/nestjs/nest/pull/9951) chore(deps-dev): bump mongoose from 6.4.4 to 6.4.5 ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - [#9952](https://togithub.com/nestjs/nest/pull/9952) chore(deps-dev): bump concurrently from 7.2.2 to 7.3.0 ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) - `platform-fastify` - [#9950](https://togithub.com/nestjs/nest/pull/9950) chore(deps): bump light-my-request from 5.1.0 to 5.2.0 ([@dependabot\[bot\]](https://togithub.com/apps/dependabot)) ##### Committers: 4 - Franco Mangone ([@frankmangone](https://togithub.com/frankmangone)) - Jay McDoniel ([@jmcdo29](https://togithub.com/jmcdo29)) - Tolga Paksoy ([@tolgap](https://togithub.com/tolgap)) - [@kosh-b](https://togithub.com/kosh-b) ### [`v9.0.4`](https://togithub.com/nestjs/nest/compare/v9.0.3...v9.0.4) [Compare Source](https://togithub.com/nestjs/nest/compare/v9.0.3...v9.0.4)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.