Skip to content

Bump lodash and @nestjs/config#4

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/multi-ecf000bdcb
Open

Bump lodash and @nestjs/config#4
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/multi-ecf000bdcb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 6, 2026

Copy link
Copy Markdown

Bumps lodash to 4.17.23 and updates ancestor dependency @nestjs/config. These dependencies need to be updated together.

Updates lodash from 4.17.21 to 4.17.23

Commits

Updates @nestjs/config from 3.3.0 to 4.0.3

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.3

What's Changed

Full Changelog: nestjs/config@4.0.2...4.0.3

Release 4.0.2

  • fix(common): update KeyOf type to support symbol keys (f53f14e)

Release 4.0.1

  • fix: validate predefined condition #1970 (79d82d6)
  • feat: allow to use symbol as a token (99d8bca)

Release 4.0.0

Breaking changes

The order in which configuration variables are read by the ConfigService#get method has been updated. The new order is:

  • Internal configuration (config namespaces and custom config files)
  • Validated environment variables (if validation is enabled and a schema is provided)
  • The process.env object

Previously, validated environment variables and the process.env object were read first, preventing them from being overridden by internal configuration. With this update, internal configuration will now always take precedence over environment variables.

Additionally, the ignoreEnvVars configuration option, which previously allowed disabling validation of the process.env object, has been deprecated. Instead, use the validatePredefined option (set to false to disable validation of predefined environment variables). Predefined environment variables refer to process.env variables that were set before the module was imported. For example, if you start your application with PORT=3000 node main.js, the PORT variable is considered predefined. However, variables loaded by the ConfigModule from a .env file are not classified as predefined.

A new skipProcessEnv option has also been introduced. This option allows you to prevent the ConfigService#get method from accessing the process.env object entirely, which can be helpful when you want to restrict the service from reading environment variables directly.

Changelog

  • chore: update config attributes to more self descriptive names (c2eaf04)
  • chore(deps): update nest monorepo to v11 (1c20713)
  • feat: order of reading variables, add skip predefined (c53c63c)
Commits
  • fc0db0a chore(): release v4.0.3
  • 3c57f35 Merge pull request #2100 from nestjs/renovate/dotenv-17.x
  • 560f095 fix(deps): update dependency dotenv to v17
  • 2585fd9 Merge pull request #2189 from nestjs/renovate/cimg-node-24.x
  • 23735a1 Merge pull request #2146 from nestjs/renovate/dotenv-expand-12.x
  • 55ba08b fix(deps): update dependency dotenv-expand to v12.0.3
  • 7fb8984 Merge pull request #2250 from nestjs/renovate/npm-lodash-vulnerability
  • 2248d7b chore(deps): update nest monorepo to v11.1.13 (#2260)
  • c77a8f6 chore(deps): update dependency @​types/node to v24.10.10 (#2259)
  • 48212e0 chore(deps): update commitlint monorepo to v20.4.1 (#2258)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump lodash and @nestjs/config
712fa9f 
Bumps [lodash](https://github.com/lodash/lodash) to 4.17.23 and updates ancestor dependency [@nestjs/config](https://github.com/nestjs/config). These dependencies need to be updated together.


Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `@nestjs/config` from 3.3.0 to 4.0.3
- [Release notes](https://github.com/nestjs/config/releases)
- [Commits](nestjs/config@3.3.0...4.0.3)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
- dependency-name: "@nestjs/config"
  dependency-version: 4.0.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants