Skip to content

Comments

build(deps): bump lodash, @nestjs/config, @nestjs/graphql, @nestjs/mercurius and @nestjs/swagger#884

Open
dependabot[bot] wants to merge 1 commit intostablefrom
dependabot/npm_and_yarn/multi-dd84597043
Open

build(deps): bump lodash, @nestjs/config, @nestjs/graphql, @nestjs/mercurius and @nestjs/swagger#884
dependabot[bot] wants to merge 1 commit intostablefrom
dependabot/npm_and_yarn/multi-dd84597043

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 11, 2026

Bumps lodash to 4.17.23 and updates ancestor dependencies lodash, @nestjs/config, @nestjs/graphql, @nestjs/mercurius and @nestjs/swagger. These dependencies need to be updated together.

Updates lodash from 4.17.21 to 4.17.23

Commits

Updates @nestjs/config from 3.3.0 to 4.0.3

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.3

What's Changed

Full Changelog: nestjs/config@4.0.2...4.0.3

Release 4.0.2

  • fix(common): update KeyOf type to support symbol keys (f53f14e)

Release 4.0.1

  • fix: validate predefined condition #1970 (79d82d6)
  • feat: allow to use symbol as a token (99d8bca)

Release 4.0.0

Breaking changes

The order in which configuration variables are read by the ConfigService#get method has been updated. The new order is:

  • Internal configuration (config namespaces and custom config files)
  • Validated environment variables (if validation is enabled and a schema is provided)
  • The process.env object

Previously, validated environment variables and the process.env object were read first, preventing them from being overridden by internal configuration. With this update, internal configuration will now always take precedence over environment variables.

Additionally, the ignoreEnvVars configuration option, which previously allowed disabling validation of the process.env object, has been deprecated. Instead, use the validatePredefined option (set to false to disable validation of predefined environment variables). Predefined environment variables refer to process.env variables that were set before the module was imported. For example, if you start your application with PORT=3000 node main.js, the PORT variable is considered predefined. However, variables loaded by the ConfigModule from a .env file are not classified as predefined.

A new skipProcessEnv option has also been introduced. This option allows you to prevent the ConfigService#get method from accessing the process.env object entirely, which can be helpful when you want to restrict the service from reading environment variables directly.

Changelog

  • chore: update config attributes to more self descriptive names (c2eaf04)
  • chore(deps): update nest monorepo to v11 (1c20713)
  • feat: order of reading variables, add skip predefined (c53c63c)
Commits
  • fc0db0a chore(): release v4.0.3
  • 3c57f35 Merge pull request #2100 from nestjs/renovate/dotenv-17.x
  • 560f095 fix(deps): update dependency dotenv to v17
  • 2585fd9 Merge pull request #2189 from nestjs/renovate/cimg-node-24.x
  • 23735a1 Merge pull request #2146 from nestjs/renovate/dotenv-expand-12.x
  • 55ba08b fix(deps): update dependency dotenv-expand to v12.0.3
  • 7fb8984 Merge pull request #2250 from nestjs/renovate/npm-lodash-vulnerability
  • 2248d7b chore(deps): update nest monorepo to v11.1.13 (#2260)
  • c77a8f6 chore(deps): update dependency @​types/node to v24.10.10 (#2259)
  • 48212e0 chore(deps): update commitlint monorepo to v20.4.1 (#2258)
  • Additional commits viewable in compare view

Updates @nestjs/graphql from 12.2.1 to 13.2.4

Release notes

Sourced from @​nestjs/graphql's releases.

v13.2.4

13.2.4 (2026-02-04)

Enhancements

Dependencies

Committers: 2

v13.2.3

v13.2.2 (2025-12-13)

Bug fixes

Enhancements

Dependencies

Committers: 3

v13.2.1

13.2.1 (2025-10-02)

Bug fixes

  • apollo

... (truncated)

Commits
  • 2ef9dee v13.2.4
  • affe17b Merge pull request #3725 from nestjs/renovate/cimg-node-24.x
  • 8915adf chore(deps): update node.js to v24.13.0
  • 29ea8c5 Merge pull request #3824 from nestjs/renovate/npm-nestjs-platform-fastify-vul...
  • 9dca7e9 chore(deps): update dependency @​nestjs/platform-fastify to v11.1.11 [security]
  • 52a6c41 Merge pull request #3828 from nestjs/renovate/nest-monorepo
  • eb88829 Merge pull request #3829 from nestjs/renovate/mercurius-16.x
  • b2113d9 chore(deps): update dependency mercurius to v16.7.0
  • 5843058 chore(deps): update nest monorepo to v11.1.13
  • 817c47d Merge pull request #3827 from nestjs/dependabot/npm_and_yarn/fastify-5.7.3
  • Additional commits viewable in compare view

Updates @nestjs/mercurius from 12.2.1 to 13.2.4

Release notes

Sourced from @​nestjs/mercurius's releases.

v13.2.4

13.2.4 (2026-02-04)

Enhancements

Dependencies

Committers: 2

v13.2.3

v13.2.2 (2025-12-13)

Bug fixes

Enhancements

Dependencies

Committers: 3

v13.2.1

13.2.1 (2025-10-02)

Bug fixes

  • apollo

... (truncated)

Commits
  • 2ef9dee v13.2.4
  • affe17b Merge pull request #3725 from nestjs/renovate/cimg-node-24.x
  • 8915adf chore(deps): update node.js to v24.13.0
  • 29ea8c5 Merge pull request #3824 from nestjs/renovate/npm-nestjs-platform-fastify-vul...
  • 9dca7e9 chore(deps): update dependency @​nestjs/platform-fastify to v11.1.11 [security]
  • 52a6c41 Merge pull request #3828 from nestjs/renovate/nest-monorepo
  • eb88829 Merge pull request #3829 from nestjs/renovate/mercurius-16.x
  • b2113d9 chore(deps): update dependency mercurius to v16.7.0
  • 5843058 chore(deps): update nest monorepo to v11.1.13
  • 817c47d Merge pull request #3827 from nestjs/dependabot/npm_and_yarn/fastify-5.7.3
  • Additional commits viewable in compare view

Updates @nestjs/swagger from 8.0.5 to 11.2.6

Release notes

Sourced from @​nestjs/swagger's releases.

11.2.6

What's Changed

New Contributors

Full Changelog: nestjs/swagger@11.2.5...11.2.6

Release 11.2.5

11.2.5 (2026-01-14)

Bug fixes

Enhancements

Committers: 2

11.2.4

What's Changed

New Contributors

Full Changelog: nestjs/swagger@11.2.3...11.2.4

Release 11.2.3

What's Changed

Full Changelog: nestjs/swagger@11.2.2...11.2.3

Release 11.2.2

11.2.2 (2025-11-16)

... (truncated)

Commits
  • 3281744 chore(): release v11.2.6
  • bca62d9 Merge pull request #3705 from nestjs/renovate/npm-lodash-vulnerability
  • b06e08a Merge pull request #3697 from ismaildasci/feat/add-format-type-definition
  • 0eeb8af Merge pull request #3707 from wanderer-s/fix/api_query_type
  • 4869d1b Merge pull request #3715 from micalevisk/feat/add-server-custom-fields
  • 8c64c72 chore(deps): update nest monorepo to v11.1.13 (#3722)
  • 128aac4 chore(deps): update dependency @​types/node to v24.10.10 (#3721)
  • 61fec42 chore(deps): update dependency fastify to v5.7.4 (#3720)
  • d453a02 chore(deps): update commitlint monorepo to v20.4.1 (#3718)
  • 1447671 fix(deps): update dependency lodash to v4.17.23 [security]
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump lodash, @nestjs/config, @nestjs/graphql, @nestjs/me…
8519479 
…rcurius and @nestjs/swagger

Bumps [lodash](https://github.com/lodash/lodash) to 4.17.23 and updates ancestor dependencies [lodash](https://github.com/lodash/lodash), [@nestjs/config](https://github.com/nestjs/config), [@nestjs/graphql](https://github.com/nestjs/graphql), [@nestjs/mercurius](https://github.com/nestjs/graphql) and [@nestjs/swagger](https://github.com/nestjs/swagger). These dependencies need to be updated together.


Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `@nestjs/config` from 3.3.0 to 4.0.3
- [Release notes](https://github.com/nestjs/config/releases)
- [Commits](nestjs/config@3.3.0...4.0.3)

Updates `@nestjs/graphql` from 12.2.1 to 13.2.4
- [Release notes](https://github.com/nestjs/graphql/releases)
- [Commits](nestjs/graphql@v12.2.1...v13.2.4)

Updates `@nestjs/mercurius` from 12.2.1 to 13.2.4
- [Release notes](https://github.com/nestjs/graphql/releases)
- [Commits](nestjs/graphql@v12.2.1...v13.2.4)

Updates `@nestjs/swagger` from 8.0.5 to 11.2.6
- [Release notes](https://github.com/nestjs/swagger/releases)
- [Commits](nestjs/swagger@8.0.5...11.2.6)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
- dependency-name: "@nestjs/config"
  dependency-version: 4.0.3
  dependency-type: direct:production
- dependency-name: "@nestjs/graphql"
  dependency-version: 13.2.4
  dependency-type: direct:production
- dependency-name: "@nestjs/mercurius"
  dependency-version: 13.2.4
  dependency-type: direct:production
- dependency-name: "@nestjs/swagger"
  dependency-version: 11.2.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants