Nest.js class-validator high vulnerability fix

14th Oct 2022 • 1 min read — by Aleksandar Trpkovski

Landing Image

If you have used Nest.js recently, you probably have realised that the class-validator library has a high vulnerability in it, which has not been addressed for quite a while.

The ValidationPipe uses the powerful class-validator package and its declarative validation decorators. The ValidationPipe provides a convenient approach to enforce validation rules for all incoming client payloads. The specific rules are declared with simple annotations in each module's local class/DTO declarations.

The class-validator package works in conjunction with another package class-transformer. The lack of maintenance made the Nuxt team fork the original packages and took care of the maintenance.

How to migrate to the new forked packages

  1. Uninstall the existing class-validator and class-transformer packages from the Nest project.
npm uninstall class-validator class-transformer
  1. Install the newly forked packages.
npm install @nestjs/class-validator @nestjs/class-transformer
  1. In the main.ts file, add the following:
    new ValidationPipe({
        validatorPackage: require("@nestjs/class-validator"),
        transformerPackage: require("@nestjs/class-transformer"),

And that's all! Now we can start using the newly maintained packages.


This solution is a workaround for the time being until the Nest team figures out what is the best approach to migrate in the future.


© Aleksandar Trpkovski