[Snyk] Security upgrade @nestjs/core from 10.4.22 to 11.1.18

[postiz-agent]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') SNYK-JS-NESTJSCORE-15920868	106

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[postiz-agent]

This major version upgrade from NestJS v10 to v11 introduces several significant breaking changes that require developer action. The risk is high due to mandatory code and environment updates.

Key Breaking Changes:

• Node.js Version Requirement: Support for Node.js v16 and v18 has been dropped. NestJS v11 now requires Node.js v20 or higher.
• Express v5 Integration: The default underlying framework is now Express v5, which changes how routes are matched. Wildcard routes (*) must be named (e.g., @Get('users/*splat')). This will require updating route definitions in your application.
• Dynamic Module Instantiation: NestJS no longer automatically deduplicates dynamic modules with identical configurations. To maintain singleton behavior, you must now assign the dynamic module to a variable and import that variable in multiple places.
• CacheModule Update: The @nestjs/cache-manager package has been significantly updated, requiring changes to how caching is configured.
• Lifecycle Hook Order: The execution order of termination hooks like OnModuleDestroy and OnApplicationShutdown has been reversed, which may affect application shutdown logic.

Recommendation:
Developers must carefully review the official migration guide to address these changes. Pay close attention to route definitions, dynamic module imports, and any usage of the @nestjs/cache-manager package. Ensure your environment is running Node.js v20 or newer before upgrading.

Source: Official Migration Guide

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
postiz-app-test	Error		Apr 8, 2026 4:35am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
postiz	Ignored		Apr 8, 2026 4:35am

[github-actions]

This PR has been marked as Spam, please re-open if this is a mistake.

[postiz-agent]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sentry]

Bug: The PR upgrades @nestjs/core to v11 while leaving the tightly coupled @nestjs/common at v10. This major version mismatch will likely cause a runtime error on startup.
_{Severity: CRITICAL}

Suggested Fix

Both @nestjs/core and @nestjs/common should be on the same major version. Update @nestjs/common to the same v11 version as @nestjs/core in package.json and then run pnpm install to regenerate the lock file.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L72

Potential issue: The `package.json` is being updated to use `@nestjs/core@11.1.18` while
`@nestjs/common` remains on v10. These two packages are tightly coupled within the
NestJS framework. Major version updates in NestJS, such as v11, introduce breaking
changes. This mismatch will likely lead to a runtime error during application startup
when `NestFactory.create()` is called, as it will try to use incompatible internal APIs.
The PR author's note, "Failed to update the pnpm-lock.yaml," strongly suggests that the
dependency resolution failed, confirming this incompatibility.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[github-actions]

This PR has been marked as Spam, please re-open if this is a mistake.