build(deps): bump the minor-patches group across 1 directory with 20 updates

[dependabot]

Bumps the minor-patches group with 20 updates in the / directory:

Package	From	To
@google-cloud/cloud-sql-connector	1.9.0	1.9.1
@nestjs/common	11.1.12	11.1.14
@nestjs/config	4.0.2	4.0.3
@nestjs/core	11.1.12	11.1.14
@nestjs/platform-express	11.1.12	11.1.14
@nestjs/swagger	11.2.5	11.2.6
@types/pdfkit	0.17.4	0.17.5
@upstash/redis	1.36.1	1.36.2
axios	1.13.2	1.13.5
dotenv	17.2.3	17.3.1
pg	8.17.1	8.18.0
react	19.2.3	19.2.4
@types/react	19.2.8	19.2.14
react-dom	19.2.3	19.2.4
@nestjs/testing	11.1.12	11.1.14
@swc/cli	0.6.0	0.8.0
@swc/core	1.15.8	1.15.13
globals	17.0.0	17.3.0
prettier	3.8.0	3.8.1
typescript-eslint	8.53.0	8.56.0

Updates @google-cloud/cloud-sql-connector from 1.9.0 to 1.9.1

Release notes

Sourced from @​google-cloud/cloud-sql-connector's releases.

v1.9.1

1.9.1 (2026-02-19)

Bug Fixes

• update dependencies to latest (#534) (dbb56d2)

Changelog

Sourced from @​google-cloud/cloud-sql-connector's changelog.

1.9.1 (2026-02-19)

Bug Fixes

• update dependencies to latest (#534) (dbb56d2)

Commits

• fb7b630 chore(main): release 1.9.1 (#535)
• dbb56d2 fix: update dependencies to latest (#534)
• 4711ea7 chore(deps): Update dependencies to latest as of 2026-02-13 (#531)
• b5ec405 chore: Fix tap configuration to pass with exit code 0 (#527)
• See full diff in compare view

Updates @nestjs/common from 11.1.12 to 11.1.14

Release notes

Sourced from @​nestjs/common's releases.

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express
  • #16241 fix(deps): update dependency cors to v2.8.6 (@​renovate[bot])

Committers: 6

• Lee Donghyun (@​devizi0)
• Mykhailo Skrypsky (@​mixator)
• Neo (@​chojs23)
• Praveen Somasundaram (@​som14062005)
• Ricardo Gomes (@​jobnow)
• 조수민 (@​suuuuuuminnnnnn)

Commits

• 5d31df7 chore(release): publish v11.1.14 release
• 829d326 Merge pull request #16314 from SpencerKaiser/bugfix/cors-types
• 5058600 fix(common): change requestOrigin type
• 91212b2 fix: return type error
• 804d27b fix: invalid context when no stack trace is provided
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• d88856c test(common): add unit tests for class serializer interceptor
• a1f6162 Merge pull request #16202 from som14062005/fix/issue-16195
• 8222634 refactor: move built-in types to module-level constant
• Additional commits viewable in compare view

Updates @nestjs/config from 4.0.2 to 4.0.3

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.3

What's Changed

• fix(deps): update dependency lodash to v4.17.23 [security] by @​renovate[bot] in nestjs/config#2250
• fix(deps): update dependency dotenv-expand to v12.0.3 by @​renovate[bot] in nestjs/config#2146
• fix(deps): update dependency dotenv to v17 by @​renovate[bot] in nestjs/config#2100

Full Changelog: nestjs/config@4.0.2...4.0.3

Commits

• fc0db0a chore(): release v4.0.3
• 3c57f35 Merge pull request #2100 from nestjs/renovate/dotenv-17.x
• 560f095 fix(deps): update dependency dotenv to v17
• 2585fd9 Merge pull request #2189 from nestjs/renovate/cimg-node-24.x
• 23735a1 Merge pull request #2146 from nestjs/renovate/dotenv-expand-12.x
• 55ba08b fix(deps): update dependency dotenv-expand to v12.0.3
• 7fb8984 Merge pull request #2250 from nestjs/renovate/npm-lodash-vulnerability
• 2248d7b chore(deps): update nest monorepo to v11.1.13 (#2260)
• c77a8f6 chore(deps): update dependency @​types/node to v24.10.10 (#2259)
• 48212e0 chore(deps): update commitlint monorepo to v20.4.1 (#2258)
• Additional commits viewable in compare view

Updates @nestjs/core from 11.1.12 to 11.1.14

Release notes

Sourced from @​nestjs/core's releases.

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express
  • #16241 fix(deps): update dependency cors to v2.8.6 (@​renovate[bot])

Committers: 6

• Lee Donghyun (@​devizi0)
• Mykhailo Skrypsky (@​mixator)
• Neo (@​chojs23)
• Praveen Somasundaram (@​som14062005)
• Ricardo Gomes (@​jobnow)
• 조수민 (@​suuuuuuminnnnnn)

Commits

• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• db9494a perf(core): use set instead of array for module registry lookup
• 909b504 test(core): add unit tests for discovery service
• See full diff in compare view

Updates @nestjs/platform-express from 11.1.12 to 11.1.14

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express
  • #16241 fix(deps): update dependency cors to v2.8.6 (@​renovate[bot])

Committers: 6

• Lee Donghyun (@​devizi0)
• Mykhailo Skrypsky (@​mixator)
• Neo (@​chojs23)
• Praveen Somasundaram (@​som14062005)
• Ricardo Gomes (@​jobnow)
• 조수민 (@​suuuuuuminnnnnn)

Commits

• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• 58c761a fix(deps): update dependency cors to v2.8.6
• See full diff in compare view

Updates @nestjs/swagger from 11.2.5 to 11.2.6

Release notes

Sourced from @​nestjs/swagger's releases.

11.2.6

What's Changed

• feat: support adding custom fields on the servers[*] entry by @​micalevisk in nestjs/swagger#3715
• fix(decorator) add string literal types to ApiQueryOptions for autoco… by @​wanderer-s in nestjs/swagger#3707
• feat: add type definition for format option in @​ApiProperty decorator by @​ismaildasci in nestjs/swagger#3697
• fix(deps): update dependency lodash to v4.17.23 [security] by @​renovate[bot] in nestjs/swagger#3705

New Contributors

• @​wanderer-s made their first contribution in nestjs/swagger#3707
• @​ismaildasci made their first contribution in nestjs/swagger#3697

Full Changelog: nestjs/swagger@11.2.5...11.2.6

Commits

• 3281744 chore(): release v11.2.6
• bca62d9 Merge pull request #3705 from nestjs/renovate/npm-lodash-vulnerability
• b06e08a Merge pull request #3697 from ismaildasci/feat/add-format-type-definition
• 0eeb8af Merge pull request #3707 from wanderer-s/fix/api_query_type
• 4869d1b Merge pull request #3715 from micalevisk/feat/add-server-custom-fields
• 8c64c72 chore(deps): update nest monorepo to v11.1.13 (#3722)
• 128aac4 chore(deps): update dependency @​types/node to v24.10.10 (#3721)
• 61fec42 chore(deps): update dependency fastify to v5.7.4 (#3720)
• d453a02 chore(deps): update commitlint monorepo to v20.4.1 (#3718)
• 1447671 fix(deps): update dependency lodash to v4.17.23 [security]
• Additional commits viewable in compare view

Updates @types/pdfkit from 0.17.4 to 0.17.5

Commits

• See full diff in compare view

Updates @upstash/redis from 1.36.1 to 1.36.2

Release notes

Sourced from @​upstash/redis's releases.

v1.36.2

What's Changed

• DX-2363: add redis-js skills by @​CahidArda in upstash/redis-js#1406
• Dx 2353: Add commands HGETDEL, HGETEX, HSETEX, XDELEX, XACKDEL, CLIENT SETINFO and add new options to BITOP and XADD by @​alitariksahin in upstash/redis-js#1407

Full Changelog: upstash/redis-js@v1.36.1...v1.36.2

Commits

• a6efa76 Dx 2353 - Update Redis API compat page for v1.15 (#1407)
• 2c88e98 DX-2363: add redis-js skills (#1406)
• See full diff in compare view

Updates axios from 1.13.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates dotenv from 17.2.3 to 17.3.1

Changelog

Sourced from dotenv's changelog.

17.3.1 (2026-02-12)

Changed

• Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

Commits

• 7bc16a4 17.3.1
• 27303fd update README-es
• 6379eb2 update README
• b6d7339 fix spelling
• 5febe35 17.3.0
• f61f383 changelog 🪵
• dec94ad update README
• 4856950 update README
• 6351887 update README
• 23bd017 update README
• Additional commits viewable in compare view

Updates pg from 8.17.1 to 8.18.0

Changelog

Sourced from pg's changelog.

pg@8.18.0

• Return the client instance as the result of calling connect (previously it was void).

pg@8.17.0

• Throw correct error if database URL parsing fails.

pg@8.16.0

• Add support for min connection pool size.

pg@8.15.0

• Add support for esm importing. CommonJS importing is still also supported.

pg@8.14.0

• Add support from SCRAM-SAH-256-PLUS i.e. channel binding.

pg@8.13.0

• Add ability to specify query timeout on per-query basis.

pg@8.12.0

• Add queryMode config option to force use of the extended query protocol on queries without any parameters.

pg-pool@8.10.0

• Emit release event when client is returned to the pool.

pg@8.9.0

• Add support for stream factory.
• Better errors for SASL authentication.
• Use native crypto module for SASL authentication.

pg@8.8.0

• Bump minimum required version of native bindings.
• Catch previously uncatchable errors thrown in pool.query.
• Prevent the pool from blocking the event loop if all clients are idle (and allowExitOnIdle is enabled).
• Support lock_timeout in client config.
• Fix errors thrown in callbacks from interfering with cleanup.

pg-pool@3.5.0

• Add connection lifetime limit config option.

... (truncated)

Commits

• fc4de3c Publish
• 0d1541d Always check if activeQuery is null before using it (#3586)
• 57e93b5 Return the client instance in the connect() method (#3564)
• 5b68a11 Publish
• ea06db5 Remove node: prefix from imports (#3584)
• a3a4567 remove unused variable (#3562)
• See full diff in compare view

Updates react from 19.2.3 to 19.2.4

Release notes

Sourced from react's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates @types/react from 19.2.8 to 19.2.14

Commits

• See full diff in compare view

Updates react-dom from 19.2.3 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates @nestjs/testing from 11.1.12 to 11.1.14

Release notes

Sourced from @​nestjs/testing's releases.

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express
  • #16241 fix(deps): update dependency cors to v2.8.6 (@​renovate[bot])

Committers: 6

• Lee Donghyun (@​devizi0)
• Mykhailo Skrypsky (@​mixator)
• Neo (@​chojs23)
• Praveen Somasundaram (@​som14062005)
• Ricardo Gomes (@​jobnow)
• 조수민 (@​suuuuuuminnnnnn)

Commits

• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• See full diff in compare view

Updates @swc/cli from 0.6.0 to 0.8.0

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​swc/cli since your current version.

Updates @swc/core from 1.15.8 to 1.15.13

Changelog

Sourced from @​swc/core's changelog.

[1.15.13] - 2026-02-23

Bug Fixes

• (errors) Avoid panic on invalid diagnostic spans (#11561) (b24b8e0)

• (es/helpers) Fix _object_without_properties crash on primitive values (#11571) (4f35904)

• (es/jsx) Preserve whitespace before HTML entities (#11521) (64be077)

• (es/minifier) Do not merge if statements with different local variable values (#11518) (3e63627)

• (es/minifier) Prevent convert_tpl_to_str when there's emoji under es5 (#11529) (ff6cf88)

• (es/minifier) Inline before merge if (#11526) (aa5a9ac)

• (es/minifier) Preserve array join("") nullish semantics (#11558) (d477f61)

• (es/minifier) Inline side-effect-free default params (#11564) (1babda7)

• (es/parser) Fix generic arrow function in TSX mode (#11549) (366a16b)

• (es/react) Preserve first-line leading whitespace with entities (#11568) (fc62617)

• (es/regexp) Transpile unicode property escapes in RegExp constructor (#11554) (476d544)

Documentation

• (agents) Clarify sandbox escalation for progress (#11574) (cb31d0d)

Features

• (es/minifier) Add unsafe_hoist_static_method_alias option (#11493) (6e7dbe2)

... (truncated)

Commits

• 2e0ea18 chore: Publish 1.15.13 with swc_core v57.0.1
• 4e7a14c chore: Publish 1.15.13-nightly-20260223.1 with swc_core v57.0.1
• efccf48 chore: Publish 1.15.12-...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.