@nestjs/core -> path-to-regexp : CVE-2026-4923, CVE-2026-4926

[dylanbehetre]

Hello,

npm audit warn about 3 high severity vulnerabilities coming from path-to-regexp through @nestjs/core.

CVE :

• CVE-2026-4923
• CVE-2026-4926

Fix version (8.4.0) is available from path-to-regexp.

Waiting for new @nestjs/core version (>11.17.1) which used path-to-regexp@8.4.0

[NateRadebaugh]

Personally I'm using the following in my package.json for now

  "overrides": {
    "path-to-regexp": ">=8.4.0"
  },

[cyanzule]

@nestjs/core was updated five days ago and dependabot updated this repository with #1187, which went bundled with release https://github.com/OpenAPITools/openapi-generator-cli/releases/tag/v2.31.1!

confirmed on a local repository that it does resolve the outdated dependency too, so this issue seems resolved (although the dependency update is not part of the CHANGELOG)