chore(deps): update dependency sequelize to v6 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
sequelize (source)	^4.0.0 → ^6.0.0

GitHub Vulnerability Alerts

CVE-2019-10752

Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:

return User.findAll({
  where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});

Recommendation

If you are using sequelize 5.x, upgrade to version 5.15.1 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-10748

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendation

If you are using sequelize 5.x, upgrade to version 5.8.11 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.
If you are using sequelize 3.x, upgrade to version 3.35.1 or later.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-25813

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

Severity

• CVSS Score: 10.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2023-22580

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2023-22579

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in sequelize@6.28.1 & @sequelize/core@7.0.0.alpha-20

References

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

Severity

• CVSS Score: 10.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2023-22578

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

---

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694
CVE: CVE-2023-22578

Severity

• CVSS Score: 10.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

---

Release Notes

sequelize/sequelize (sequelize)

v6.29.0

Compare Source

v6.28.2

Compare Source

v6.28.1

Compare Source

v6.28.0

Compare Source

v6.27.0

Compare Source

v6.26.0

Compare Source

v6.25.8

Compare Source

v6.25.7

Compare Source

v6.25.6

Compare Source

v6.25.5

Compare Source

v6.25.4

Compare Source

v6.25.3

Compare Source

v6.25.2

Compare Source

v6.25.1

Compare Source

v6.25.0

Compare Source

v6.24.0

Compare Source

v6.23.2

Compare Source

v6.23.1

Compare Source

v6.23.0

Compare Source

v6.22.1

Compare Source

v6.22.0

Compare Source

v6.21.6

Compare Source

v6.21.5

Compare Source

v6.21.4

Compare Source

v6.21.3

Compare Source

v6.21.2

Compare Source

v6.21.1

Compare Source

v6.21.0

Compare Source

v6.20.1

Compare Source

v6.20.0

Compare Source

v6.19.2

Compare Source

v6.19.1

Compare Source

v6.19.0

Compare Source

v6.18.0

Compare Source

v6.17.0

Compare Source

v6.16.3

Compare Source

v6.16.2

Compare Source

v6.16.1

Compare Source

Bug Fixes

• correct path to package.json in Sequelize.version (#​14073) (b95c213)

v6.16.0

Compare Source

Features

• gen /lib & /types from /src & drop /dist (v6) (#​14063) (6b8fbb4)

v6.15.1

Compare Source

Bug Fixes

• types: accept $nested.syntax$ in WhereAttributeHash (#​13983) (4a513cf)
• types: correct typing definitions for Sequelize.where (#​14018) (99c612b)
• types: improve branded types (#​13990) (a578ea0)

v6.15.0

Compare Source

Bug Fixes

• types: deduplicate error typings (#​14002) (fc28629)

Features

• add options.rawErrors to Sequelize#query method (#​13881) (7c58851)

v6.14.1

Compare Source

Bug Fixes

• rollback PR #​13951 in v6 (#​14004) (1882f3c)

v6.14.0

Compare Source

Bug Fixes

• don't call overloaded versions of find functions internally (#​13951) (fc53cdb)
• don't call overloaded versions of find functions internally (#​13951) (b253d8e)
• model.d: fix type for count and findAndCountAll (#​13786) (b06c1fc)
• types: add hooks to InstanceDestroyOptions type (#​13491) (dbd9ea8)
• types: add missing fields to FindOr{Create,Build}Options (#​13389) (ef63f8f)
• types: fix QueryInterface#bulkInsert attribute arg type (#​13945) (9e108e3)

Features

• types: add InferAttributes utility type (#​13909) (fd42687)
• types: add typings for DataTypes.TSVECTOR (#​13940) (b8f0463)
• types: drop TypeScript < 4.1 (#​13954) (dd49044)

v6.13.0

Compare Source

Bug Fixes

• fix typings for queries with {plain: true} option (#​13899) (308d017)

Features

• mariadb: add mariadb support in Sequelize.set function (#​13926) (02bda05), closes #​13920
• postgres: drop indices concurrently in Postgres (#​13903) (37f20a6)

v6.12.5

Compare Source

Bug Fixes

• dialect: sequelize pool doesn't take effect in dialect "mssql" (#​13880) (fc155b6)
• model: fix count with grouping typing (#​13884) (49beb29), closes #​13871
• types: improve ModelCtor / ModelStatic typing (#​13890) (34aa808)
• types: omit FK and scope keys in HasManyCreateAssociationMixin (#​13892) (b315ce8)

v6.12.4

Compare Source

Bug Fixes

• mssql/async-queue: fix unable to start mysql due to circular ref (#​13823) (49e8614)

v6.12.3

Compare Source

Bug Fixes

• data-types: moment object throwing error (#​13818) (78c7414)

v6.12.2

Compare Source

Bug Fixes

• abstract: patch jsonb operator for pg if value is json (#​13780) (a2375c5)
• operators: fix ts support for operators.ts (#​13805) (b532ab1)
• postgres: allows usage of schema for ARRAY(ENUM) type name (#​13807) (da5b0ce)
• query-interface: bring back quoteIdentifier(s) to queryInterface (#​13810) (001dc60)

v6.12.1

Compare Source

Bug Fixes

• allow deep imports (#​13795) (1ecdaf9)
• fix invalid ts import style of lib/operators (#​13797) (8acc14f)

v6.12.0

Compare Source

Bug Fixes

• data-types: unnecessary warning when getting data with DATE dataTypes (#​13712) (121884b)
• docs: add aws-lamda route (#​13693) (3059bce)
• example: fix coordinates format as per GeoJson (#​13718) (f9dec20)
• increment: fix key value broken query (#​12985) (fc0b19e)
• model.d: fix findAndCountAll.count type (#​13736) (b7b472e)
• snowflake: fix to prevent disconnect attempt on already disconnected connection (#​13775) (2a9a551)
• types: add Col to where Ops (#​13717) (2d7b865)
• types: add instance member declaration (#​13684) (ae3cde5)
• types: add missing schema field to sequelize options (c7a0839), closes #​12606
• types: allow override json function with custom return type (#​13694) (2c3b384)
• upsert: fall back to DO NOTHING if no update key values provided (#​13594) (4071378)
• upsert: fall back to DO NOTHING if no update key values provided (#​13711) (f9dfaa7), closes #​13594
• wrong interface used within mixin (#​13685) (bd3ddf5)

Features

• dialects: add experimental support for db2 (#​13374) (4443d2a)
• dialect: snowflake dialect support (#​13406) (ad68a5e)
• model: complete getAttributes feature (b6510df)
• typescript: create alpha release with ts (911125e)
• types: transition lib/errors (#​13710) (8cdce6a)
• upsert: add conflictFields option (#​13723) (496bede)

v6.11.0

Compare Source

Features

• option for attributes having dotNotation (#​13670) (41876f1)

v6.10.0

Compare Source

Bug Fixes

• typing on creation within an association (#​13678) (0312f8e)
• logger: change logging depth from 3 to 1 (#​12879) (ddddc24)
• mariadb: fix MariaDB 10.5 JSON (#​13633) (cdd61dd)
• model: clone options object instead of modifying (#​13589) (3be43de)
• mssql: fix sub query issue occurring with renamed primary key fields (#​12801) (73d99ab)
• mssql: sqlserver 2008 fix for using offsets and include criteria (47c4494)
• query: make stacktraces include original calling code (#​13347) (f581543)
• types: Add missing type definitions in models (#​13553) (73ecf6c)
• types: add specifc tojson type in model.d.ts (#​13661) (5924be5)
• types: DataType.TEXT overloading definition (#​13654) (1690801)
• types: include 'paranoid' in IncludeThroughOptions definition (#​13625) (b1fb1f3)
• types: ne op documentation (#​13666) (98485df)
• types: rename types and update CONTRIBUTING docs (#​13348) (1f23924)
• expect result is null but got zero (#​13637) (da3ac09)

Features

• definitions: Adds AbstractQuery and before/afterQuery hook definitions (#​13635) (37a5858)
• postgresql: easier SSL config and options param support (#​13673) (9591573)

v6.9.0

Compare Source

Bug Fixes

• docs: using incorrect esdocs syntax (#​13615) (c3c690b)
• sqlite: quote table names in sqlite getForeignKeysQuery (#​13587) (eeb6a8f)
• upsert: do not overwrite an explcit created_at during upsert (#​13593) (594cee8)

Features

• mysql: add support for MySQL v8 (#​13618) (35978f0)

v6.8.0

Compare Source

Bug Fixes

• types: allow any values in isIn validator (#​12962) (d511d91)
• allows insert primary key with zero (#​13458) (e4aff2f)
• model: Convert number values only if they aren't null to avoid NaN (199b632)
• model.d: accept [Op.is] in where (broken in TypeScript 4.4) (#​13499) (d685a9a)
• postgres: fix findCreateFind to work with postgres transactions (#​13482) (84421d7)
• select: do not force set subQuery to false (#​13490) (0943339)
• sqlite: fix wrongly overwriting storage if empty string (#​13376) (c3e608b), closes #​13375
• types: add missing upsert hooks (#​13394) (5e9c209)
• types: extend BulkCreateOptions by SearchPathable (#​13469) (47c2d05), closes #​13454
• types: typo in model.d.ts (#​13574) (31d0fbc)

Features

• postgres: support query_timeout dialect option (#​13258) (3ca085d)
• typings: add UnknownConstraintError (#​13461) (69d899e)

v6.7.0

Compare Source

Bug Fixes

• deps: upgrade to secure versions of dev deps (#​13549) (cf53734)
• docs: fix typo in documentation for polymorphic associations (#​13405) (bbf3d76)
• types: allow rangable to take a string tuple (#​13486) (ca2a11a)

Features

• test: add test for nested column in where query (#​13478) (26b62c7), closes #​13288
• types: make config type deeply writeable for before connect hook (#​13424) (f078f77)

v6.6.5

Compare Source

Bug Fixes

• dependency: upgrade validator (#​13350) (56bb1d6)

v6.6.4

Compare Source

Bug Fixes

• typings: make Transactionable compatible with TransactionOptions (#​13334) (cd2de40)
• utils: clone attributes before mutating them (#​13226) (1a16b91)
• data-types: use proper field name for ARRAY(ENUM) (#​13210) (1cfbd33)
• typings: fix ignoreDuplicates option (#​13220) (b33d78e)
• typings: allow schema for queryInterface methods (#​13223) (6b0b532)
• typings: restrict update typings (#​13216) (63ceb73)
• typings: returning can specify column names (#​13215) (143cc84)
• typings: model init returns model class, not instance (#​13214) (8f2a0d5)
• plurals: bump inflection dependency (#​13260) (deeb5c6)
• bulk-create: ON CONFLICT with unique index (#​13345) (6dcb565)

v6.6.2

Compare Source

Bug Fixes

• types: fix Model.prototype.previous() (#​13042) (5b16b32)

v6.6.1

Compare Source

Bug Fixes

• query-generator: use AND in sql for not/between (#​13043) (a663c54)
• sqlite: retrieve primary key on upsert (#​12991) (023e1d9)
• types: allow (keyof TAttributes)[] in UpdateOptions.returning (#​13130) (97ba242)
• types: models with attributes couldn't be used in some cases (#​13010) (de5f21d)
• types: remove string from Order type (#​13057) (ac39f8a)

v6.6.0

Compare Source

Bug Fixes

• types: allow sequelize.col in attributes (#​13105) (3fd64cb)
• types: allow bigints in WhereValue (#​13028) (8892507)
• types: decapitalize queryGenerator property (#​13126) (9cb4d7f)
• types: fix Model#previous type (#​13106) (466e361)
• types: fix ValidationErrorItem types (#​13108) (e35a9bf)

Features

• add-constraint: add deferrable option (#​13096) (f98bd7e)

v6.5.1

Compare Source

Bug Fixes

• mysql: release connection on deadlocks (#​13102) (6388507)
  • Note: this complements the work done in 6.5.0, fixing another situation not covered by it with MySQL.
• types: allow transaction to be null (#​13093) (ced4dc7)

v6.5.0

Compare Source

Second release in 2021! 🎉

Bug Fixes

• mysql, mariadb: release connection on deadlocks (#​12841) (c77b1f3)
• types: allow changing values on before hooks (#​12970) (e5b8929)
• types: typo in sequelize.js and sequelize.d.ts (#​12975) (2fe980e)

Features

• postgres: add TSVECTOR datatype and @@​ operator (#​12955) (e45df29)

v6.4.0

Compare Source

First release in 2021! 🎉

Bug Fixes

• types: better support for readonly arrays (287607a)
• types: remove part forgotten in #​12175 (2249ded)

Features

• query-interface: support composite foreign keys (#​12456) (9ecebef)

v6.3.5

Compare Source

Bug Fixes

• truncate: fix missing await in truncate all models with cascade (#​12664) (933b3f6)

v6.3.4

Compare Source

Bug Fixes

• model: handle true timestamp fields correctly (#​12580) (#​12581) (490db41)

v6.3.3

Compare Source

Bug Fixes

• mark database drivers as optional peer dependencies (#​12484) (ec2af0d)

v6.3.2

Compare Source

Bug Fixes

• upsert: set isNewRecord to false when upserting (#​12447) (#​12485) (96f4166)

v6.3.1

Compare Source

Bug Fixes

• use lodash _baseIsNative directly instead of _.isNative (#​12358) (#​12475) (#​12480) (631f555)

v6.3.0

Compare Source

Bug Fixes

• mssql: upsert query with falsey values (#​12453) (#​12459) (4d82907)

Features

• types: Add ModelDefined type as syntactic sugar (#​12445) (5cabcbc)

v6.2.4

Compare Source

Bug Fixes

• types: update SaveOptions type to include Hookable (#​12441) (#​12444) (9a45509)

v6.2.3

Compare Source

Bug Fixes

• sqlite: describeTable now returns unique constraint and references (#​12420) (2de3377)

v6.2.2

Compare Source

Bug Fixes

• types: fixed types for model.init and sequelize.define; update docs (#​12435) (9c446f9)

v6.2.1

Compare Source

Bug Fixes

• mssql: insert/upsert operations do not return all fields (#​12433) (aeb318a)

v6.2.0

Compare Source

Bug Fixes

• types: references support for string (#​12407) (962ed3c)

Features

• types: added optional stricter typing for Model attributes (#​12405) (871157b)

v6.1.1

Compare Source

Bug Fixes

• mssql: returning data for bulkUpdate (#​12413) (e36212c)

v6.1.0: v6

Compare Source

Sequelize v6 is the next major release after v5. Below is a list of breaking changes to help you upgrade.

Breaking Changes

Support for Node 10 and up

Sequelize v6 will only support Node 10 and up #​10821.

CLS

You should now use cls-hooked package for CLS support.

  const cls = require('cls-hooked');
  const namespace = cls.createNamespace('....');
  const Sequelize = require('sequelize');

  Sequelize.useCLS(namespace);

Database Engine Support

We have updated our minimum supported database engine versions. Using older database engine will show SEQUELIZE0006 deprecation warning. Please check ENGINE.md for version table.

Sequelize

• Bluebird has been removed. Internally all methods are now using async/await. Public API now returns native promises. Thanks to Andy Edwards for this refactor work.
• Sequelize.Promise is no longer available.
• sequelize.import method has been removed.

Model

options.returning

Option returning: true will no longer return attributes that are not defined in the model. Old behavior can be achieved by using returning: ['*'] instead.

Model.changed()

This method now tests for equality with _.isEqual and is now deep aware for JSON objects. Modifying a nested value for a JSON object won't mark it as changed (since it is still the same object).

  const instance = await MyModel.findOne();

  instance.myJsonField.someProperty = 12345; // Changed from something else to 12345
  console.log(instance.changed()); // false

  await instance.save(); // this will not save anything

  instance.changed('myJsonField', true);
  console.log(instance.changed()); // ['myJsonField']

  await instance.save(); // will save

Model.bulkCreate()

This method now throws Sequelize.AggregateError instead of Bluebird.AggregateError. All errors are now exposed as errors key.

Model.upsert()

Native upsert is now supported for all dialects.

const [instance, created] = await MyModel.upsert({});

Signature for this method has been changed to Promise<Model,boolean | null>. First index contains upserted instance, second index contains a boolean (or null) indicating if record was created or updated. For SQLite/Postgres, created value will always be null.

• MySQL - Implemented with ON DUPLICATE KEY UPDATE
• PostgreSQL - Implemented with ON CONFLICT DO UPDATE
• SQLite - Implemented with ON CONFLICT DO UPDATE
• MSSQL - Implemented with MERGE statement

Note for Postgres users: If upsert payload contains PK field, then PK will be used as the conflict target. Otherwise first unique constraint will be selected as the conflict key.

QueryInterface

addConstraint

This method now only takes 2 parameters, tableName and options. Previously the second parameter could be a list of column names to apply the constraint to, this list must now be passed as options.fields property.

Changelog

6.0.0-beta.7

• docs(associations): belongs to many create with through table
• docs(query-interface): fix broken links #​12272
• docs(sequelize): omitNull only works for CREATE/UPDATE queries
• docs: asyncify #​12297
• docs: responsive #​12308
• docs: update feature request template
• feat(postgres): native upsert #​12301
• feat(sequelize): allow passing dialectOptions.options from url #​12404
• fix(include): check if attributes specified for included through model #​12316
• fix(model.destroy): return 0 with truncate #​12281
• fix(mssql): empty order array generates invalid FETCH statement #​12261
• fix(postgres): parse enums correctly when describing a table #​12409
• fix(query): ensure correct return signature for

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

Merging #119 (5885935) into master (7e6cad0) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##            master      #119   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           36        36           
  Branches         6         6           
=========================================
  Hits            36        36