Nhost

v@nhost/[email protected] Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 12h API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

authentication backend backend-as-a-service database firebase flutter

+12 more

graphql hasura javascript nextjs nhost postgresql react serverless serverless-functions storage typescript vue

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 10h

The release updates the brace‑expansion and ws dependencies to fix associated CVEs, merges GraphQL request headers into nhost-js, and refactors nixops build configuration and caching storage.

Why it matters: Security advisories addressed for brace-expansion (CVE) and ws (GHSA-58qx-3vcg-4xpx); all users of @nhost/[email protected] should upgrade to obtain the header‑merging fix and benefit from nixops refactor improvements.

Summary

AI summary

Updates 🐛 Bug Fixes, deps, and ⚙️ Miscellaneous Tasks across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Updates brace-expansion dependency to address CVE. Updates brace-expansion dependency to address CVE. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	Critical	Patches ws advisory GHSA-58qx-3vcg-4xpx. Patches ws advisory GHSA-58qx-3vcg-4xpx. Source: llm_adapter@2026-06-03 Confidence: high	—
Dependency	Low	Updates various packages due to multiple CVEs. Updates various packages due to multiple CVEs. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Merges GraphQL request headers into nhost-js. Merges GraphQL request headers into nhost-js. Source: llm_adapter@2026-06-03 Confidence: high	—
Refactor
Refactor	Low	Drops nix-filter input, using pkgs.lib.fileset instead. Drops nix-filter input, using pkgs.lib.fileset instead. Source: llm_adapter@2026-06-03 Confidence: high	—
Refactor	Low	Migrates cache storage from previous backend to r2. Migrates cache storage from previous backend to r2. Source: llm_adapter@2026-06-03 Confidence: low	—
Refactor	Low	Migrates cache storage in nixops to use r2. Migrates cache storage in nixops to use r2. Source: granite4.1:30b@2026-06-03-audit Confidence: low	—

Full changelog

[@nhost/[email protected]] - 2026-06-03

🐛 Bug Fixes

(deps) Update brace-expansion due to CVE (#4306)
(deps) Fix ws advisory (GHSA-58qx-3vcg-4xpx) (#4307)
(nhost-js) Merge GraphQL request headers (#4437)

⚙️ Miscellaneous Tasks

(nixops) Drop nix-filter input in favor of pkgs.lib.fileset (#4377)
(nixops) Migrate cache to r2 (#4393)

Chore

(deps) Update various packages due to CVEs (#4328)

Breaking Changes

Drop nix-filter input in favor of pkgs.lib.fileset (nixops)
Migrate cache to r2 (nixops)

Security Fixes

CVE update for brace-expansion
GHSA-58qx-3vcg-4xpx advisory fix for ws

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Nhost

Get notified when new releases ship.

About Nhost

The Open Source Firebase Alternative with GraphQL.

All releases →