@lenne.tech/nest-server 11.24.0 → 11.24.2

package/migration-guides/11.24.0-to-11.24.1.md

@@ -0,0 +1,67 @@
+# Migration Guide: 11.24.0 → 11.24.1
+
+## Overview
+
+| Category | Details |
+|----------|---------|
+| **Breaking Changes** | None |
+| **New Features** | `pushToArray()`/`pullFromArray()` now accept `ObjectId` and objects with `id`/`_id` property |
+| **Migration Effort** | 0 minutes (no code changes required) |
+
+---
+
+## Quick Migration
+
+No code changes required.
+
+```bash
+# Update package
+pnpm add @lenne.tech/nest-server@11.24.1
+
+# Verify build
+pnpm run build
+
+# Run tests
+pnpm test
+```
+
+---
+
+## What's New in 11.24.1
+
+### Flexible `id` Parameter on `pushToArray()` / `pullFromArray()`
+
+Both methods now accept `string`, `Types.ObjectId`, or any object with an `id`/`_id` property (e.g. a Mongoose Document). IDs are normalized internally via `getStringIds()`, consistent with the rest of the framework.
+
+**Before (11.24.0):** Only `string` was accepted.
+```typescript
+await this.entityService.pushToArray(entity.id, 'logs', newLog);
+await this.entityService.pullFromArray(entity.id.toString(), 'tags', 'old');
+```
+
+**After (11.24.1):** All ID types work directly.
+```typescript
+// String (still works)
+await this.entityService.pushToArray('507f1f77bcf86cd799439011', 'logs', newLog);
+
+// ObjectId
+await this.entityService.pushToArray(new Types.ObjectId(id), 'logs', newLog);
+
+// Object with id property (e.g. Mongoose Document or entity reference)
+await this.entityService.pushToArray(entity, 'logs', newLog);
+
+// Same for pullFromArray
+await this.entityService.pullFromArray(entity, 'tags', 'obsolete');
+```
+
+---
+
+## Compatibility Notes
+
+Existing code using `string` IDs continues to work unchanged. The wider type signature is additive — no existing call sites break.
+
+---
+
+## References
+
+- [Migration Guide 11.23.x → 11.24.0](./11.23.x-to-11.24.0.md) — Full list of changes in 11.24.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.24.0",
+  "version": "11.24.2",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -78,16 +78,16 @@
     "@as-integrations/express5": "1.1.2",
     "@better-auth/passkey": "1.5.5",
     "@getbrevo/brevo": "3.0.1",
-    "@nestjs/apollo": "13.2.4",
+    "@nestjs/apollo": "13.2.5",
     "@nestjs/common": "11.1.18",
     "@nestjs/core": "11.1.18",
-    "@nestjs/graphql": "13.2.4",
+    "@nestjs/graphql": "13.2.5",
     "@nestjs/jwt": "11.0.2",
     "@nestjs/mongoose": "11.0.4",
     "@nestjs/passport": "11.0.5",
     "@nestjs/platform-express": "11.1.18",
     "@nestjs/schedule": "6.1.1",
-    "@nestjs/swagger": "11.2.6",
+    "@nestjs/swagger": "11.2.7",
     "@nestjs/terminus": "11.1.1",
     "@nestjs/websockets": "11.1.18",
     "@tus/file-store": "2.0.0",
@@ -125,7 +125,7 @@
   },
   "devDependencies": {
     "@compodoc/compodoc": "1.2.1",
-    "@nestjs/cli": "11.0.18",
+    "@nestjs/cli": "11.0.19",
     "@nestjs/schematics": "11.0.10",
     "@nestjs/testing": "11.1.18",
     "@swc/cli": "0.8.1",
@@ -136,11 +136,11 @@
     "@types/express": "5.0.6",
     "@types/lodash": "4.17.24",
     "@types/multer": "2.1.0",
-    "@types/node": "25.5.2",
+    "@types/node": "25.6.0",
     "@types/nodemailer": "8.0.0",
     "@types/passport": "1.0.17",
-    "@vitest/coverage-v8": "4.1.3",
-    "@vitest/ui": "4.1.3",
+    "@vitest/coverage-v8": "4.1.4",
+    "@vitest/ui": "4.1.4",
     "ansi-colors": "4.1.3",
     "find-file-up": "2.0.1",
     "husky": "9.1.7",
@@ -157,8 +157,7 @@
     "unplugin-swc": "1.5.9",
     "vite": "7.3.2",
     "vite-plugin-node": "7.0.0",
-    "vite-tsconfig-paths": "6.1.1",
-    "vitest": "4.1.3"
+    "vitest": "4.1.4"
   },
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -181,7 +180,27 @@
   },
   "packageManager": "pnpm@10.33.0",
   "pnpm": {
+    "//overrides": {
+      "axios@<1.15.0": "Security: SSRF via NO_PROXY bypass (GHSA-3p68-rc4w-qgx5) and unrestricted cloud metadata exfiltration (GHSA-fvcv-3m26-pcqx) - transitive via @getbrevo/brevo and node-mailjet. Remove when @getbrevo/brevo ships axios>=1.15.0",
+      "minimatch@<3.1.5": "Security: RegExp DoS (GHSA-p8p7-x288-28g6) - transitive via @getbrevo/brevo>rewire>eslint",
+      "minimatch@>=9.0.0 <9.0.9": "Security: RegExp DoS - transitive via @nestjs/cli>@swc/cli",
+      "minimatch@>=10.0.0 <10.2.5": "Security: RegExp DoS - transitive via @nestjs/apollo>ts-morph>@ts-morph/common and nodemon",
+      "ajv@<6.14.0": "Security: prototype pollution - transitive via @getbrevo/brevo>rewire>eslint",
+      "ajv@>=7.0.0-alpha.0 <8.18.0": "Security: prototype pollution - transitive via @nestjs/cli>@angular-devkit",
+      "undici@>=7.0.0 <7.24.7": "Security: various CVEs - transitive via @compodoc/compodoc>cheerio",
+      "srvx@<0.11.15": "Compatibility: @tus/server@2.3.0 requires ~0.8.2 but 0.11.15 needed for security - remove when @tus/server ships with >=0.11.15",
+      "handlebars@>=4.0.0 <4.7.9": "Security: prototype pollution (GHSA-q42p-pg8m-cqh6) - transitive via @compodoc/compodoc",
+      "brace-expansion@<1.1.13": "Security: RegExp DoS - transitive via eslint>minimatch",
+      "brace-expansion@>=4.0.0 <5.0.5": "Security: RegExp DoS - transitive via nodemon>minimatch and @ts-morph/common>minimatch",
+      "picomatch@<2.3.2": "Security: ReDoS - transitive via @nestjs/graphql>fast-glob>micromatch and @compodoc/compodoc>chokidar",
+      "picomatch@>=4.0.0 <4.0.4": "Security: ReDoS - transitive via vitest and vite",
+      "path-to-regexp@>=8.0.0 <8.4.2": "Security: ReDoS (GHSA-rhx6-c78j-4q9w) - transitive via express>router",
+      "kysely@>=0.26.0 <0.28.15": "Security: SQL injection - transitive via better-auth",
+      "lodash@>=4.0.0 <4.18.0": "Security: CVE in lodash@4.17.x - transitive via @nestjs/graphql. 4.18.1 is the latest patched version",
+      "defu@<=6.1.6": "Security: prototype pollution via __proto__ key - transitive via better-auth"
+    },
     "overrides": {
+      "axios@<1.15.0": "1.15.0",
       "minimatch@<3.1.5": "3.1.5",
       "minimatch@>=9.0.0 <9.0.9": "9.0.9",
       "minimatch@>=10.0.0 <10.2.5": "10.2.5",
@@ -197,8 +216,7 @@
       "path-to-regexp@>=8.0.0 <8.4.2": "8.4.2",
       "kysely@>=0.26.0 <0.28.15": "0.28.15",
       "lodash@>=4.0.0 <4.18.0": "4.18.1",
-      "defu@<=6.1.6": "6.1.7",
-      "vite@>=7.0.0 <7.3.2": "7.3.2"
+      "defu@<=6.1.6": "6.1.7"
     },
     "onlyBuiltDependencies": [
       "bcrypt",

package/src/core/common/services/crud.service.ts

@@ -9,6 +9,7 @@ import {
   Query,
   QueryFilter,
   QueryOptions,
+  Types,
 } from 'mongoose';
 
 import { FilterArgs } from '../args/filter.args';
@@ -707,13 +708,13 @@ export abstract class CrudService<
    * await this.pushToArray(id, 'logs', newLog);
    * await this.pushToArray(id, 'logs', newLog, { $slice: -500 }); // Keep last 500
    *
-   * @param id - Document ID
+   * @param id - Document ID (string, ObjectId, or object with id/_id property)
    * @param field - Array field name. MUST be a compile-time constant — never pass user-controlled input.
    * @param items - Item(s) to append
    * @param options - MongoDB $push modifiers ($slice, $position, $sort)
    */
   async pushToArray(
-    id: string,
+    id: string | Types.ObjectId | { id?: any; _id?: any },
     field: string,
     items: any | any[],
     options?: { $slice?: number; $position?: number; $sort?: Record<string, 1 | -1> },
@@ -727,6 +728,7 @@ export abstract class CrudService<
       return;
     }
 
+    const stringId = getStringIds(id);
     const pushOp: any = { $each: itemsArray };
     if (options?.$slice !== undefined) {
       pushOp.$slice = options.$slice;
@@ -739,7 +741,7 @@ export abstract class CrudService<
     }
 
     await this.mainDbModel
-      .findByIdAndUpdate(id, { $push: { [field]: pushOp } } as any)
+      .findByIdAndUpdate(stringId, { $push: { [field]: pushOp } } as any)
       .lean()
       .exec();
   }
@@ -756,17 +758,22 @@ export abstract class CrudService<
    * // Remove by condition
    * await this.pullFromArray(id, 'logs', { level: 'DEBUG' });
    *
-   * @param id - Document ID
+   * @param id - Document ID (string, ObjectId, or object with id/_id property)
    * @param field - Array field name. MUST be a compile-time constant — never pass user-controlled input.
    * @param condition - Match condition for removal. MUST be application-controlled.
    */
-  async pullFromArray(id: string, field: string, condition: any): Promise<void> {
+  async pullFromArray(
+    id: string | Types.ObjectId | { id?: any; _id?: any },
+    field: string,
+    condition: any,
+  ): Promise<void> {
     if (typeof field !== 'string' || field.startsWith('$') || field.includes('\0')) {
       throw new Error(`pullFromArray: invalid field name "${field}"`);
     }
 
+    const stringId = getStringIds(id);
     await this.mainDbModel
-      .findByIdAndUpdate(id, { $pull: { [field]: condition } } as any)
+      .findByIdAndUpdate(stringId, { $pull: { [field]: condition } } as any)
       .lean()
       .exec();
   }