fix(misc): multi-version compliance for @nx/express, @nx/node, and @nx/nest#35807
Merged
Conversation
✅ Deploy Preview for nx-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for nx-dev ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
View your CI Pipeline Execution ↗ for commit f47a068
☁️ Nx Cloud last updated this comment at |
AgentEnder
changed the title
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
AgentEnder
changed the title
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
![nx-cloud[bot]](https://avatars.githubusercontent.com/in/80458?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Nx Cloud has identified a flaky task in your failed CI:
🔂 Since the failure was identified as flaky, we triggered a CI rerun by adding an empty commit to this branch.
🎓 Learn more about Self-Healing CI on nx.dev
- Introduce per-major versionMap covering Express v4 + v5 in versions.ts; fresh-install defaults to v5.1.0 (paired with @types/express ^5.0.0). - Add assertSupportedExpressVersion wrapper around the shared assertSupportedPackageVersion helper; call it as the first statement of init and application generators. - Widen peer range to >=4.0.0 <6.0.0 (still optional). - Pass keepExistingVersions: true through generator install sites; flip schema defaults to true. Init now also installs @types/express. - Add parameterized all-generators-enforce-floor spec. - Update supported-versions docs page.
…floors - Restructure versions.ts into per-package bundles with versionMap + versions(tree) helpers for express (v4 + v5), koa (v2 + v3), fastify (v4 + v5), and @types/node (v22 + v24). Default to v5/v3/v5/v22. - Add assertSupportedFrameworkVersion dispatcher (one wrapper per framework) and call it as the first statement of the application generator when --framework is selected. - Route framework + @types/node installs through versions(tree) in add-dependencies.ts; pass keepExistingVersions ?? true (was implicitly false). Flip init schema default to true. - migrations.json: add requires gate to 22.0.2 (koa v2 -> v3) and to 22.6.0 (within-v3 CVE patch). Split 20.4.0 into the original same-major express bumps and a new 20.4.0-fastify entry gated on fastify v4 -> v5 (avoids AND-semantics on the previous combined entry). - Declare optional peerDependencies for express, koa, fastify; add semver to dependencies (now imported). Allow these in @nx/dependency -checks' ignoredDependencies (plugin doesn't import them; they are referenced only via __tmpl__ files).
Reflects the package.json edits from the prior two commits: widened express peer in @nx/express, new optional peers on @nx/node (express, koa, fastify), and the new semver runtime dep in both plugins.
- Restructure versions.ts with per-major versionMap covering NestJS v10
and v11 for the full @nestjs/* family plus rxjs and reflect-metadata;
fresh installs default to v11 (with reflect-metadata bumped to
^0.2.0 to match NestJS v11's requirement).
- Add assertSupportedNestJsVersion wrapper around the shared
assertSupportedPackageVersion helper; call it as the first statement
of init, application, and library generators.
- ensure-dependencies and the init add-dependencies helper route
through versions(tree) and pass keepExistingVersions: true; flip
init schema default to true.
- Declare optional peerDependencies for @nestjs/core, @nestjs/common,
reflect-metadata, rxjs. Add semver to dependencies (now imported)
and extend @nx/dependency-checks' ignoredDependencies list.
- migrations.json: rewrite 21.2.0-beta.2 with real package keys
(@nestjs/common, @nestjs/core, @nestjs/platform-express,
@nestjs/testing, @nestjs/schematics, reflect-metadata) — the
previous bare "nest" key was not a real npm package and was a
silent no-op — and gate the v10 -> v11 bump on
requires: { "@nestjs/core": ">=10.0.0 <11.0.0" }.
- Update lockfile and supported-versions docs page.
AgentEnder
changed the title
AgentEnder
changed the title
jaysoo
approved these changes
May 29, 2026
vrxj81
pushed a commit
to vrxj81/nx
that referenced
this pull request
Jun 7, 2026
…x/nest (nrwl#35807) ## Current Behavior **`@nx/express`** - Peer dep declares `express: ^4.21.2` only; Express v5 has been ACTIVE since 2025-03-31 and v4 is in MAINT, so the plugin's advertised window doesn't match the upstream support window. - Generators install a single literal `express ^4.21.2` regardless of what's installed; no per-major routing for `express` or `@types/express`. - `keepExistingVersions` schema default is `false`, so re-running the generator silently overwrites a user's pinned `express` version. - No floor enforcement: a workspace on an unsupported (sub-floor) `express` version sees no error. **`@nx/node`** - No `peerDependencies` for `express`, `koa`, or `fastify`. Init/application generators write framework deps unconditionally, ignoring what's installed. - `keepExistingVersions` defaults to `false`; framework installs override user pins. - `migrations.json` `22.0.2` bumps `koa` from v2 to v3 with no `requires` block — every workspace on koa v2 gets pushed to v3 unconditionally. - `migrations.json` `20.4.0` mixes a cross-major fastify v4→v5 bump with same-major express bumps under one entry, with no `requires` (AND-semantics would gate same-major bumps incorrectly if added naively). - No floor enforcement for any framework. **`@nx/nest`** - `peerDependencies` block is missing from `package.json` entirely; workspaces have no advertised compatible range for any `@nestjs/*` package. - Versions module has flat constants; the plugin ships v11-only even though NestJS v10.4.x still receives upstream patches (N & N-1 baseline calls for v10 + v11). - `migrations.json` `21.2.0-beta.2` uses a bare key `nest` which is not a real npm package — the entry is effectively a no-op. The real cross-major v10→v11 bump for `@nestjs/common`, `@nestjs/core`, `@nestjs/platform-express`, `@nestjs/testing` is missing, as is a `requires` source-major gate. - No floor enforcement for any NestJS version. ## Expected Behavior **`@nx/express` (NXC-4390)** - Per-major `versionMap` keyed on `express` major covering both `express` and `@types/express` for v4 and v5; fresh installs default to v5.1.0. - `assertSupportedExpressVersion(tree)` (calls shared `assertSupportedPackageVersion`) is the first statement of `initGenerator` and `applicationGeneratorInternal`. - Peer widened to `express: ">=4.0.0 <6.0.0"` (still optional). - All `addDependenciesToPackageJson` call sites from generators pass `keepExistingVersions ?? true`; schema defaults flipped to `true`. Init now installs `@types/express` (previously a dead export). - New `all-generators-enforce-floor.spec.ts` exercises every generator entry at `subFloorVersion: '~3.21.0'`. - Supported-versions docs page updated. **`@nx/node` (NXC-4396)** - Per-package `versionMap` + `versions(tree)` for `express` (v4+v5), `koa` (v2+v3), `fastify` (v4+v5), and `@types/node` (v22+v24). Fresh installs default to active LTS / latest stable. - `assertSupportedFrameworkVersion(tree, schema.framework)` (dispatches to one wrapper per framework) is the first statement of `applicationGeneratorInternal`, only firing when `--framework` selects a non-`none`/`nest` lane. - Framework + `@types/node` installs route through `versions(tree)` and pass `keepExistingVersions ?? true`. Init schema default flipped to `true`. - `migrations.json`: `22.0.2` koa v2→v3 gated with `requires: { koa: ">=2.0.0 <3.0.0" }`. `22.6.0` koa CVE patch gated bilaterally to v3 only. `20.4.0` split into the original same-major express bumps (no gate) and a new `20.4.0-fastify` entry gated on `requires: { fastify: ">=4.0.0 <5.0.0" }`. - Optional `peerDependencies` declared for `express`, `koa`, `fastify`. Added `semver: "catalog:"` to deps (now imported by `versions.ts`). `@nx/dependency-checks` allow-list updated. **`@nx/nest` (NXC-4394)** - Per-major `versionMap` covering NestJS v10 and v11 for the full `@nestjs/*` family plus `rxjs` and `reflect-metadata`. Fresh installs default to NestJS v11, with `reflect-metadata` bumped from `^0.1.13` to `^0.2.0` to match v11's requirement. - `assertSupportedNestJsVersion(tree)` is the first statement of the `init`, `application`, and `library` generators. - `ensureDependencies` and the init `addDependencies` helper route through `versions(tree)` and pass `keepExistingVersions: true` (`?? true` on the init path); init schema default flipped to `true`. - Optional `peerDependencies` declared for `@nestjs/core`, `@nestjs/common`, `reflect-metadata`, `rxjs`. Added `semver: "catalog:"` to deps and extended `@nx/dependency-checks` allow-list. - `migrations.json` `21.2.0-beta.2` rewritten with real package keys (the previous bare `nest` key was a typo / no-op) and gated on `requires: { "@nestjs/core": ">=10.0.0 <11.0.0" }`. The entry now also bumps `reflect-metadata` to `^0.2.0` for v11 compatibility. - Supported-versions docs page updated. ## Related Issue(s) Fixes NXC-4390 Fixes NXC-4396 Fixes NXC-4394 --------- Co-authored-by: Craigory Coppola <craigorycoppola@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Current Behavior
@nx/expressexpress: ^4.21.2only; Express v5 has been ACTIVE since 2025-03-31 and v4 is in MAINT, so the plugin's advertised window doesn't match the upstream support window.express ^4.21.2regardless of what's installed; no per-major routing forexpressor@types/express.keepExistingVersionsschema default isfalse, so re-running the generator silently overwrites a user's pinnedexpressversion.expressversion sees no error.@nx/nodepeerDependenciesforexpress,koa, orfastify. Init/application generators write framework deps unconditionally, ignoring what's installed.keepExistingVersionsdefaults tofalse; framework installs override user pins.migrations.json22.0.2bumpskoafrom v2 to v3 with norequiresblock — every workspace on koa v2 gets pushed to v3 unconditionally.migrations.json20.4.0mixes a cross-major fastify v4→v5 bump with same-major express bumps under one entry, with norequires(AND-semantics would gate same-major bumps incorrectly if added naively).@nx/nestpeerDependenciesblock is missing frompackage.jsonentirely; workspaces have no advertised compatible range for any@nestjs/*package.migrations.json21.2.0-beta.2uses a bare keynestwhich is not a real npm package — the entry is effectively a no-op. The real cross-major v10→v11 bump for@nestjs/common,@nestjs/core,@nestjs/platform-express,@nestjs/testingis missing, as is arequiressource-major gate.Expected Behavior
@nx/express(NXC-4390)versionMapkeyed onexpressmajor covering bothexpressand@types/expressfor v4 and v5; fresh installs default to v5.1.0.assertSupportedExpressVersion(tree)(calls sharedassertSupportedPackageVersion) is the first statement ofinitGeneratorandapplicationGeneratorInternal.express: ">=4.0.0 <6.0.0"(still optional).addDependenciesToPackageJsoncall sites from generators passkeepExistingVersions ?? true; schema defaults flipped totrue. Init now installs@types/express(previously a dead export).all-generators-enforce-floor.spec.tsexercises every generator entry atsubFloorVersion: '~3.21.0'.@nx/node(NXC-4396)versionMap+versions(tree)forexpress(v4+v5),koa(v2+v3),fastify(v4+v5), and@types/node(v22+v24). Fresh installs default to active LTS / latest stable.assertSupportedFrameworkVersion(tree, schema.framework)(dispatches to one wrapper per framework) is the first statement ofapplicationGeneratorInternal, only firing when--frameworkselects a non-none/nestlane.@types/nodeinstalls route throughversions(tree)and passkeepExistingVersions ?? true. Init schema default flipped totrue.migrations.json:22.0.2koa v2→v3 gated withrequires: { koa: ">=2.0.0 <3.0.0" }.22.6.0koa CVE patch gated bilaterally to v3 only.20.4.0split into the original same-major express bumps (no gate) and a new20.4.0-fastifyentry gated onrequires: { fastify: ">=4.0.0 <5.0.0" }.peerDependenciesdeclared forexpress,koa,fastify. Addedsemver: "catalog:"to deps (now imported byversions.ts).@nx/dependency-checksallow-list updated.@nx/nest(NXC-4394)versionMapcovering NestJS v10 and v11 for the full@nestjs/*family plusrxjsandreflect-metadata. Fresh installs default to NestJS v11, withreflect-metadatabumped from^0.1.13to^0.2.0to match v11's requirement.assertSupportedNestJsVersion(tree)is the first statement of theinit,application, andlibrarygenerators.ensureDependenciesand the initaddDependencieshelper route throughversions(tree)and passkeepExistingVersions: true(?? trueon the init path); init schema default flipped totrue.peerDependenciesdeclared for@nestjs/core,@nestjs/common,reflect-metadata,rxjs. Addedsemver: "catalog:"to deps and extended@nx/dependency-checksallow-list.migrations.json21.2.0-beta.2rewritten with real package keys (the previous barenestkey was a typo / no-op) and gated onrequires: { "@nestjs/core": ">=10.0.0 <11.0.0" }. The entry now also bumpsreflect-metadatato^0.2.0for v11 compatibility.Related Issue(s)
Fixes NXC-4390
Fixes NXC-4396
Fixes NXC-4394