Update dependency sequelize to v4 [SECURITY] #39
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.8->4.44.3GitHub Vulnerability Alerts
CVE-2015-1369
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
CVE-2016-10553
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and earlier.
CVE-2016-10556
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put
["test", "'); DELETE TestTable WHERE Id = 1 --')"]inside ofdatabase.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } });and cause the SQL statement to becomeSELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --'). In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.CVE-2016-10550
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the
limitororderparameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.GHSA-wfp9-vr4j-f49j / WS-2019-0053
Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection.
CVE-2019-10752
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-10748
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
CVE-2019-10749
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
Release Notes
sequelize/sequelize
v4.44.3Compare Source
Security
This release fixes two security issues for MySQL, both affecting same component.
https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221
v4.44.2Compare Source
Bug Fixes
v4.44.1Compare Source
Bug Fixes
v4.44.0Compare Source
Bug Fixes
Features
v4.43.2Compare Source
Bug Fixes
v4.43.1Compare Source
v4.43.0Compare Source
v4.42.1Compare Source
v4.42.0Compare Source
v4.41.2Compare Source
v4.41.1Compare Source
v4.41.0Compare Source
v4.40.0Compare Source
v4.39.1Compare Source
v4.39.0Compare Source
v4.38.1Compare Source
v4.38.0Compare Source
v4.37.10Compare Source
v4.37.9Compare Source
v4.37.8Compare Source
v4.37.7Compare Source
v4.37.6Compare Source
v4.37.5Compare Source
v4.37.4Compare Source
v4.37.3Compare Source
v4.37.2Compare Source
v4.37.1Compare Source
v4.37.0Compare Source
v4.36.1Compare Source
v4.36.0Compare Source
v4.35.5Compare Source
v4.35.4Compare Source
v4.35.3Compare Source
v4.35.2Compare Source
v4.35.1Compare Source
v4.35.0Compare Source
v4.34.1Compare Source
v4.34.0Compare Source
v4.33.4Compare Source
v4.33.3Compare Source
v4.33.2Compare Source
v4.33.1Compare Source
v4.33.0Compare Source
v4.32.7Compare Source
v4.32.6Compare Source
v4.32.5Compare Source
v4.32.4Compare Source
v4.32.3Compare Source
v4.32.2Compare Source
v4.32.1Compare Source
v4.32.0Compare Source
v4.31.2Compare Source
v4.31.1Compare Source
v4.31.0Compare Source
v4.30.2Compare Source
v4.30.1Compare Source
v4.30.0Compare Source
v4.29.3Compare Source
v4.29.2Compare Source
v4.29.1Compare Source
v4.29.0Compare Source
v4.28.8Compare Source
v4.28.7Compare Source
v4.28.6Compare Source
v4.28.5Compare Source
v4.28.4Compare Source
v4.28.3Compare Source
v4.28.2Compare Source
v4.28.1Compare Source
v4.28.0Compare Source
v4.27.0Compare Source
v4.26.0Compare Source
v4.25.2Compare Source
v4.25.1Compare Source
v4.25.0Compare Source
v4.24.0Compare Source
v4.23.4Compare Source
v4.23.3Compare Source
v4.23.2Compare Source
v4.23.1Compare Source
v4.23.0Compare Source
v4.22.16Compare Source
v4.22.15Compare Source
v4.22.14Compare Source
v4.22.13Compare Source
v4.22.12Compare Source
v4.22.11Compare Source
v4.22.10Compare Source
v4.22.9Compare Source
v4.22.8Compare Source
v4.22.7Compare Source
v4.22.6Compare Source
v4.22.5Compare Source
v4.22.4Compare Source
v4.22.3Compare Source
v4.22.2Compare Source
v4.22.1Compare Source
v4.22.0Compare Source
v4.21.0Compare Source
v4.20.3Compare Source
v4.20.2Compare Source
v4.20.1Compare Source
v4.20.0Compare Source
v4.19.0Compare Source
v4.18.0Compare Source
v4.17.2Compare Source
v4.17.1Compare Source
v4.17.0Compare Source
v4.16.2Compare Source
v4.16.1Compare Source
v4.16.0Compare Source
v4.15.2Compare Source
v4.15.1Compare Source
v4.15.0Compare Source
v4.14.0Compare Source
v4.13.17Compare Source
v4.13.16Compare Source
v4.13.15Compare Source
v4.13.14Compare Source
v4.13.13Compare Source
v4.13.12Compare Source
v4.13.11Compare Source
v4.13.10Compare Source
v4.13.9Compare Source
v4.13.8Compare Source
v4.13.7Compare Source
v4.13.6Compare Source
v4.13.5Compare Source
v4.13.4Compare Source
v4.13.3Compare Source
v4.13.2Compare Source
v4.13.1Compare Source
v4.13.0Compare Source
v4.12.0Compare Source
v4.11.7Compare Source
v4.11.6Compare Source
v4.11.5Compare Source
v4.11.4Compare Source
v4.11.3Compare Source
v4.11.2Compare Source
v4.11.1Compare Source
v4.11.0Compare Source
v4.10.3Compare Source
v4.10.2Compare Source
v4.10.1Compare Source
v4.10.0Compare Source
v4.9.0Compare Source
v4.8.4Compare Source
v4.8.3Compare Source
v4.8.2Compare Source
v4.8.1Compare Source
v4.8.0Compare Source
v4.7.5Compare Source
v4.7.4Compare Source
v4.7.3Compare Source
v4.7.2Compare Source
v4.7.1Compare Source
v4.7.0Compare Source
v4.6.0Compare Source
v4.5.0Compare Source
v4.4.10Compare Source
v4.4.9Compare Source
v4.4.8Compare Source
v4.4.7Compare Source
v4.4.6Compare Source
v4.4.5Compare Source
v4.4.4Compare Source
v4.4.3Compare Source
v4.4.2Compare Source
v4.4.1Compare Source
v4.4.0Compare Source
v4.3.2Compare Source
v4.3.1Compare Source
v4.3.0Compare Source
v4.2.1Compare Source
v4.2.0Compare Source
v4.1.0Compare Source
v4.0.0Compare Source
v3.35.1Compare Source
v3.35.0Compare Source
v3.34.0Compare Source
v3.33.0Compare Source
v3.32.1Compare Source
v3.31.2Compare Source
v3.31.1Compare Source
v3.31.0Compare Source
v3.30.4Compare Source
v3.30.3Compare Source
v3.30.2Compare Source
v3.30.1Compare Source
v3.30.0Compare Source
v3.29.0Compare Source
v3.28.0Compare Source
v3.27.0Compare Source
v3.26.0Compare Source
v3.25.1Compare Source
v3.25.0Compare Source
v3.24.8Compare Source
v3.24.7Compare Source
v3.24.6Compare Source
v3.24.5Compare Source
v3.24.4Compare Source
v3.24.3Compare Source
v3.24.2Compare Source
v3.24.1Compare Source
v3.24.0Compare Source
v3.23.6Compare Source
v3.23.5Compare Source
v3.23.4Compare Source
v3.23.3Compare Source
v3.23.2Compare Source
v3.23.1Compare Source
v3.23.0Compare Source
v3.22.0Compare Source
v3.21.0Compare Source
v3.20.0Compare Source
v3.19.3Compare Source
v3.19.2Compare Source
v3.19.1Compare Source
v3.19.0Compare Source
v3.18.0Compare Source
v3.17.3Compare Source
v3.17.2Compare Source
v3.17.1Compare Source
v3.17.0Compare Source
v3.16.0Compare Source
v3.15.1Compare Source
v3.15.0Compare Source
v3.14.2Compare Source
v3.14.1Compare Source
v3.14.0Compare Source
v3.13.0Compare Source
v3.12.2Compare Source
v3.12.1Compare Source
v3.12.0Compare Source
v3.11.0Compare Source
v3.10.0Compare Source
v3.9.0Compare Source
v3.8.0Compare Source
v3.7.1Compare Source
v3.7.0Compare Source
v3.6.0Compare Source
v3.5.1Compare Source
v3.5.0Compare Source
v3.4.1Compare Source
v3.4.0Compare Source
v3.3.2Compare Source
v3.3.1Compare Source
v3.3.0Compare Source
v3.2.0Compare Source
v3.1.1Compare Source
v3.1.0Compare Source
v3.0.1Compare Source
v3.0.0Compare Source
v2.1.3Compare Source
v2.1.2Compare Source
v2.1.1Compare Source
v2.1.0Compare Source
v2.0.6Compare Source
v2.0.5Compare Source
v2.0.4Compare Source
v2.0.3Compare Source
v2.0.2Compare Source
v2.0.1Compare Source
v2.0.0Compare Source
v1.7.11Compare Source
v1.7.10Compare Source
v1.7.9Compare Source
Renovate configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.