chore(deps): update dependency @nestjs/common to v11.0.16 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/common (source)	11.0.11 → 11.0.16

---

nest allows a remote attacker to execute arbitrary code via the Content-Type header

CVE-2024-29409 / GHSA-cj7v-w2c7-cp7c

More information

Details

File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-29409
• https://github.com/nestjs/nest/issues/13311#issuecomment-1993839495
• https://gist.github.com/aydinnyunus/801342361584d1491c67a820a714f53f
• https://github.com/nestjs/nest/blob/83a48b2c7396985144b7a6cd5d3bee1abb7c5d81/packages/common/pipes/file/file-type.validator.ts#L19
• https://github.com/nestjs/nest/issues/14876
• https://github.com/nestjs/nest/issues/14876#issuecomment-2796888038
• https://github.com/nestjs/nest/pull/14881
• https://github.com/nestjs/nest/releases/tag/v11.0.16
• https://github.com/nestjs/nest/releases/tag/v10.4.16
• https://github.com/advisories/GHSA-cj7v-w2c7-cp7c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nestjs/nest (@​nestjs/common)

v11.0.16

Compare Source

v11.0.16 (2025-04-11)

• fix(common): use file-type to validate file mimetypes by @​Chathula in #​14881

v11.0.15

Compare Source

v11.0.15 (2025-04-10)

Bug fixes

• platform-fastify
  • #​14935 fix(fastify): methods comparison (@​johaven)

Committers: 1

• Johan Legrand (@​johaven)

v11.0.14

Compare Source

v11.0.14 (2025-04-09)

Bug fixes

• platform-fastify
  • #​14511 fix(fastify): adds the non-standard http methods to the instance (@​johaven)

Committers: 1

• Johan Legrand (@​johaven)

v11.0.13

Compare Source

v11.0.13 (2025-04-03)

Bug fixes

• platform-fastify
  • #​14895 fix(fastify-adapter): global prefix exclusion path handling w/middleware (@​KyleLilly)
• microservices
  • #​14869 fix(microservices): do not re-create client connection once get client by service name (@​mingo023)

Dependencies

• platform-express
  • #​14883 fix(deps): update dependency express to v5.1.0 (@​renovate[bot])
  • #​14817 fix(deps): update dependency multer to v1.4.5-lts.2 (@​renovate[bot])
• platform-fastify
  • #​14861 fix(deps): update dependency fastify to v5.2.2 (@​renovate[bot])
  • #​14864 chore(deps): bump @​fastify/cors from 11.0.0 to 11.0.1 (@​dependabot[bot])

Committers: 2

• Kyle Lilly (@​KyleLilly)
• Minh Ngo (@​mingo023)

v11.0.12

Compare Source

v11.0.12 (2025-03-19)

Bug fixes

• core
  • #​14803 fix(core): infinite loop on broken circular reference (@​kamilmysliwiec)
  • #​14792 dependencies not resolving for request-scoped lazy providers (@​anizozina)

Enhancements

• core
  • #​14802 feat(core): add options to the legacy route converter (@​kamilmysliwiec)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.