[Snyk] Security upgrade @nestjs/platform-fastify from 7.6.13 to 11.1.11

[greg-md]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Time-of-check Time-of-use (TOCTOU) Race Condition SNYK-JS-NESTJSPLATFORMFASTIFY-14724255	741

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Time-of-check Time-of-use (TOCTOU) Race Condition

[Copilot]

Pull request overview

This PR attempts to upgrade @nestjs/platform-fastify from version 7.6.13 to 11.1.11 to address a critical Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability (SNYK-JS-NESTJSPLATFORMFASTIFY-14724255) with a severity score of 741.

Key changes:

• Upgrades @nestjs/platform-fastify from 7.6.13 to 11.1.11 (a 4 major version jump)
• Introduces numerous transitive dependency upgrades including Fastify from 3.x to 5.x
• Updates various Fastify ecosystem packages (@fastify/cors, @fastify/formbody, etc.)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
package.json	Updates @nestjs/platform-fastify dependency version to ^11.1.11
package-lock.json	Reflects the full dependency tree changes including major version upgrades for Fastify (3.x → 5.x) and numerous Fastify ecosystem packages, plus internal NestJS platform-fastify dependencies

⚠️ Critical Issues Found: This upgrade introduces breaking peer dependency mismatches that will prevent the application from running correctly. The upgraded package requires NestJS 11.x, but the project uses NestJS 7.x. This PR cannot be safely merged without also upgrading the entire NestJS ecosystem to version 11.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This upgrade introduces a critical peer dependency mismatch. The package @nestjs/[email protected] requires @nestjs/common@^11.0.0 and @nestjs/core@^11.0.0 as peer dependencies (as seen in lines 2105-2108 of package-lock.json), but the project is currently using @nestjs/common@^7.5.1 and @nestjs/core@^7.5.1.

This is a breaking change that will cause runtime errors. To safely apply this security upgrade, you need to also upgrade @nestjs/common, @nestjs/core, and likely other NestJS packages (@nestjs/graphql, @nestjs/microservices, etc.) to version 11.x. This is a major version upgrade across the entire NestJS ecosystem and will require significant testing and potential code changes to handle breaking changes between NestJS v7 and v11.

Suggested change

	"@nestjs/platform-fastify": "^11.1.11",
	"@nestjs/platform-fastify": "^7.6.15",

[Copilot]

The upgraded @nestjs/[email protected] depends on [email protected], which is a major version upgrade from the [email protected] that was bundled with the old version. Fastify v5 has breaking changes from v3, including changes to plugin systems, lifecycle hooks, and TypeScript types. Additionally, apollo-server-fastify@^2.21.0 (line 32) may not be compatible with Fastify v5, as it was designed for Fastify v3. You should verify compatibility or consider upgrading to a newer Apollo Server version that supports Fastify v5.

Suggested change

	"@nestjs/platform-fastify": "^11.1.11",
	"@nestjs/platform-fastify": "^7.6.18",