This repository has been archived by the owner on Jan 19, 2024. It is now read-only.

fix(deps): update dependency sequelize to v6.29.0 [security] #283

Merged

carolineBda merged 1 commit into main from renovate/npm-sequelize-vulnerability

Mar 7, 2023

Contributor

renovate bot commented Mar 7, 2023

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sequelize (source)	`6.21.2` -> `6.29.0`

GitHub Vulnerability Alerts

CVE-2023-22580

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

CVE-2023-22579

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in sequelize@6.28.1 & @sequelize/core@7.0.0.alpha-20

References

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

CVE-2023-22578

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694
CVE: CVE-2023-22578

Release Notes

sequelize/sequelize

`v6.29.0`

Features

throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)

`v6.28.2`

Bug Fixes

accept undefined in where (#15703) (13f2e89)

`v6.28.1`

Bug Fixes

throw if where receives an invalid value (#15699) (d9e0728)
update moment-timezone version (#15685) (48d6193)

`v6.28.0`

Features

types: use retry-as-promised types for retry options to match documentation (#15484) (fd4afa6)

`v6.27.0`

Features

add support for bigints (backport of #14485) (#15413) (1247c01)

`v6.26.0`

Features

postgres: add support for lock_timeout [#15345] (#15355) (94beace)

`v6.25.8`

Bug Fixes

oracle: remove hardcoded maxRows value (#15323) (7885000)

`v6.25.7`

Bug Fixes

fix parameters not being replaced when after $$ strings (#15307) (bc39fd6)

`v6.25.6`

Bug Fixes

postgres: invalidate connection after client-side timeout (#15283) (a205765), closes /github.com/brianc/node-postgres/blob/5538df6b446f4b4f921947b460fe38acb897e579/packages/pg/lib/client.js#L529

`v6.25.5`

Bug Fixes

remove options.model overwrite on bulkUpdate (#15252) (67e69cd), closes #15231

`v6.25.4`

Bug Fixes

types: add instance.dataValues property to model.d.ts (#15240) (00c6da3)

`v6.25.3`

Bug Fixes

don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139) (7990095), closes #14700

`v6.25.2`

Bug Fixes

types: fix TS 4.9 excessive depth error on InferAttributes (v6) (#15135) (851daaf)

`v6.25.1`

Bug Fixes

types: expose legacy "types" folder in export alias ( #15123) (9dd93b8)

`v6.25.0`

Features

oracle: add support for dialectOptions.connectString (#15042) (06ad05d)

`v6.24.0`

Features

snowflake: Add support for QueryGenerator#tableExistsQuery (#15087) (a44772e)

`v6.23.2`

Bug Fixes

postgres: add custom order direction to subQuery ordering with minified alias (#15056) (7203b66)

`v6.23.1`

Bug Fixes

oracle: add support for Oracle DB 18c CI (#15016) (5f621d7), closes #1 #7 #9 #13 #14 #16

`v6.23.0`

Features

types: add typescript 4.8 compatibility (#14990) (3468378)

`v6.22.1`

Bug Fixes

types: missing type for oracle dialect in v6 (#14992) (1da6657), closes #14991

`v6.22.0`

Features

oracle: add oracle dialect support (#14638) (c230d80), closes #1 #7 #9 #13 #14 #16

`v6.21.6`

Bug Fixes

types: backport #14704 for v6 (#14964) (33d94b2)

`v6.21.5`

Bug Fixes

mariadb: do not automatically parse JSON fields (#14800) (d047f32)

`v6.21.4`

Bug Fixes

minified aliases are now properly referenced in subqueries (v6) (#14852) (5a257bc), closes #14804

`v6.21.3`

Bug Fixes

postgres: attach postgres error-handler earlier in lifecycle (v6) (#14731) (90bb694)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          fix(deps): update dependency sequelize to v6.29.0 [security]

c0c6910

renovate bot added the dependencies label

sonarcloud bot commented Mar 7, 2023

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

github-actions bot deployed to mon-psy-sante-renovate-npm-sequelize-vulnerability-566zny

March 7, 2023 09:12

View deployment

github-actions bot commented Mar 7, 2023

🎉 Deployment for commit c0c6910 :

Ingresses

Docker images

📦 docker pull ghcr.io/socialgouv/mon-psy-sante/app:sha-c0c69104592455023d5b736a3cfec1a92b7c2ef6

Debug

carolineBda approved these changes

View reviewed changes

carolineBda merged commit 3c68e8b into main

carolineBda deleted the renovate/npm-sequelize-vulnerability branch

March 7, 2023 09:50

SocialGroovyBot added a commit that referenced this pull request


          chore(release): version 1.69.1

a3b7f74

## [1.69.1](v1.69.0...v1.69.1) (2023-03-07)

### Bug Fixes

* **deps:** update dependency sequelize to v6.29.0 [security] ([#283](#283)) ([3c68e8b](3c68e8b))

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels