Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency typeorm to ^0.3.0 [SECURITY] #1183

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 7, 2021

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
typeorm (source) ^0.2.22 -> ^0.3.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-8158

Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.

CVE-2022-33171

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.


Release Notes

typeorm/typeorm (typeorm)

v0.3.0

Compare Source

Changes in the version includes changes from the next branch and typeorm@next version.
They were pending their migration from 2018. Finally, they are in the master branch and master version.

Features
  • compilation target now is es2020. This requires Node.JS version 14+

  • TypeORM now properly works when installed within different node_modules contexts
    (often happen if TypeORM is a dependency of another library or TypeORM is heavily used in monorepo projects)

  • Connection was renamed to DataSource.
    Old Connection is still there, but now it's deprecated. It will be completely removed in next version.
    New API:

export const dataSource = new DataSource({
    // ... options ...
})

// load entities, establish db connection, sync schema, etc.
await dataSource.connect()

Previously, you could use new Connection(), createConnection(), getConnectionManager().create(), etc.
They all deprecated in favour of new syntax you can see above.

New way gives you more flexibility and simplicity in usage.

  • new custom repositories syntax:
export const UserRepository = myDataSource.getRepository(UserEntity).extend({
    findUsersWithPhotos() {
        return this.find({
            relations: {
                photos: true
            }
        })
    }
})

Old ways of custom repository creation were dropped.

  • added new option on relation load strategy called relationLoadStrategy.
    Relation load strategy is used on entity load and determines how relations must be loaded when you query entities and their relations from the database.
    Used on find* methods and QueryBuilder. Value can be set to join or query.

    • join - loads relations using SQL JOIN expression
    • query - executes separate SQL queries for each relation

Default is join, but default can be set in ConnectionOptions:

createConnection({
    /* ... */
    relationLoadStrategy: "query"
})

Also, it can be set per-query in find* methods:

userRepository.find({
    relations: {
        photos: true
    }
})

And QueryBuilder:

userRepository
    .createQueryBuilder()
    .setRelationLoadStrategy("query")

For queries returning big amount of data, we recommend to use query strategy,
because it can be a more performant approach to query relations.

  • added new findOneBy, findOneByOrFail, findBy, countBy, findAndCountBy methods to BaseEntity, EntityManager and Repository:
const users = await userRepository.findBy({
    name: "Michael"
})

Overall find* and count* method signatures where changed, read the "breaking changes" section for more info.

  • new select type signature in FindOptions (used in find* methods):
userRepository.find({
    select: {
        id: true,
        firstName: true,
        lastName: true,
    }
})

Also, now it's possible to specify select columns of the loaded relations:

userRepository.find({
    select: {
        id: true,
        firstName: true,
        lastName: true,
        photo: {
            id: true,
            filename: true,
            album: {
                id: true,
                name: true,
            }
        }
    }
})
  • new relations type signature in FindOptions (used in find* methods):
userRepository.find({
    relations: {
        contacts: true,
        photos: true,
    }
})

To load nested relations use a following signature:

userRepository.find({
    relations: {
        contacts: true,
        photos: {
            album: true,
        },
    }
})
  • new order type signature in FindOptions (used in find* methods):
userRepository.find({
    order: {
        id: "ASC"
    }
})

Now supports nested order by-s:

userRepository.find({
    order: {
        photos: {
            album: {
                name: "ASC"
            },
        },
    }
})
  • new where type signature in FindOptions (used in find* methods) now allows to build nested statements with conditional relations, for example:
userRepository.find({
    where: {
        photos: {
            album: {
                name: "profile"
            }
        }
    }
})

Gives you users who have photos in their "profile" album.

  • FindOperator-s can be applied for relations in where statement, for example:
userRepository.find({
    where: {
        photos: MoreThan(10),
    }
})

Gives you users with more than 10 photos.

  • boolean can be applied for relations in where statement, for example:
userRepository.find({
    where: {
        photos: true
    }
})
BREAKING CHANGES
  • minimal Node.JS version requirement now is 14+

  • drop ormconfig support. ormconfig still works if you use deprecated methods,
    however we do not recommend using it anymore, because it's support will be completely dropped in 0.4.0.
    If you want to have your connection options defined in a separate file, you can still do it like this:

import ormconfig from "./ormconfig.json"

const MyDataSource = new DataSource(require("./ormconfig.json"))

Or even more type-safe approach with resolveJsonModule in tsconfig.json enabled:

import ormconfig from "./ormconfig.json"

const MyDataSource = new DataSource(ormconfig)

But we do not recommend use this practice, because from 0.4.0 you'll only be able to specify entities / subscribers / migrations using direct references to entity classes / schemas (see "deprecations" section).

We won't be supporting all ormconfig extensions (e.g. json, js, ts, yaml, xml, env).

  • support for previously deprecated migrations:* commands was removed. Use migration:* commands instead.

  • all commands were re-worked. Please refer to new CLI documentation.

  • cli option from BaseConnectionOptions (now BaseDataSourceOptions options) was removed (since CLI commands were re-worked).

  • now migrations are running before schema synchronization if you have both pending migrations and schema synchronization pending
    (it works if you have both migrationsRun and synchronize enabled in connection options).

  • aurora-data-api driver now is called aurora-mysql

  • aurora-data-api-pg driver now is called aurora-postgres

  • EntityManager.connection is now EntityManager.dataSource

  • Repository now has a constructor (breaks classes extending Repository with custom constructor)

  • @TransactionRepository, @TransactionManager, @Transaction decorators were completely removed. These decorators do the things out of the TypeORM scope.

  • Only junction table names shortened.

MOTIVATION: We must shorten only table names generated by TypeORM.
It's user responsibility to name tables short if their RDBMS limit table name length
since it won't make sense to have table names as random hashes.
It's really better if user specify custom table name into @Entity decorator.
Also, for junction table it's possible to set a custom name using @JoinTable decorator.

  • findOne() signature without parameters was dropped.
    If you need a single row from the db you can use a following syntax:
const [user] = await userRepository.find()

This change was made to prevent user confusion.
See this issue for details.

  • findOne(id) signature was dropped. Use following syntax instead:
const user = await userRepository.findOneBy({
    id: id // where id is your column name
})

This change was made to provide a more type-safe approach for data querying.
Due to this change you might need to refactor the way you load entities using MongoDB driver.

  • findOne, findOneOrFail, find, count, findAndCount methods now only accept FindOptions as parameter, e.g.:
const users = await userRepository.find({
    where: { /* conditions */ },
    relations: { /* relations */ }
})

To supply where conditions directly without FindOptions new methods were added:
findOneBy, findOneByOrFail, findBy, countBy, findAndCountBy. Example:

const users = await userRepository.findBy({
    name: "Michael"
})

This change was required to simply current find* and count* methods typings,
improve type safety and prevent user confusion.

  • findByIds was deprecated, use findBy method instead in conjunction with In operator, for example:
userRepository.findBy({
    id: In([1, 2, 3])
})

This change was made to provide a more type-safe approach for data querying.

  • findOne and QueryBuilder.getOne() now return null instead of undefined in the case if it didn't find anything in the database.
    Logically it makes more sense to return null.

  • findOne now limits returning rows to 1 at database level.

NOTE: FOR UPDATE locking does not work with findOne in Oracle since FOR UPDATE cannot be used with FETCH NEXT in a single query.

  • where in FindOptions (e.g. find({ where: { ... })) is more sensitive to input criteria now.

  • FindConditions (where in FindOptions) was renamed to FindOptionsWhere.

  • null as value in where used in find* methods is not supported anymore.
    Now you must explicitly use IsNull() operator.

Before:

userRepository.find({
    where: {
        photo: null
    }
})

After:

userRepository.find({
    where: {
        photo: IsNull()
    }
})

This change was made to make it more transparent on how to add "IS NULL" statement to final SQL,
because before it bring too much confusion for ORM users.

  • if you had entity properties of a non-primitive type (except Buffer) defined as columns,
    then you won't be able to use it in find*'s where. Example:

Before for the @Column(/*...*/) membership: MembershipKind you could have a query like:

userRepository.find({
    membership: new MembershipKind("premium")
})

now, you need to wrap this value into Equal operator:

userRepository.find({
    membership: Equal(new MembershipKind("premium"))
})

This change is due to type-safety improvement new where signature brings.

  • order in FindOptions (used in find* methods) doesn't support ordering by relations anymore.
    Define relation columns, and order by them instead.

  • where in FindOptions (used in find* methods) previously supported ObjectLiteral and string types.
    Now both signatures were removed. ObjectLiteral was removed because it seriously breaks the type safety,
    and string doesn't make sense in the context of FindOptions. Use QueryBuilder instead.

  • MongoRepository and MongoEntityManager now use new types called MongoFindManyOptions and MongoFindOneOptions
    for their find* methods.

  • primary relation (e.g. @ManyToOne(() => User, { primary: true }) user: User) support is removed.
    You still have an ability to use foreign keys as your primary keys,
    however now you must explicitly define a column marked as primary.

Example, before:

@&#8203;ManyToOne(() => User, { primary: true })
user: User

Now:

@&#8203;PrimaryColumn()
userId: number

@&#8203;ManyToOne(() => User)
user: User

Primary column name must match the relation name + join column name on related entity.
If related entity has multiple primary keys, and you want to point to multiple primary keys,
you can define multiple primary columns the same way:

@&#8203;PrimaryColumn()
userFirstName: string

@&#8203;PrimaryColumn()
userLastName: string

@&#8203;ManyToOne(() => User)
user: User

This change was required to simplify ORM internals and introduce new features.

  • prefix relation id columns contained in embedded entities (#​7432)

  • find by Date object in sqlite driver (#​7538)

  • issue with non-reliable new Date(ISOString) parsing (#​7796)

DEPRECATIONS
  • all CLI commands do not support ormconfig anymore. You must specify a file with data source instance instead.

  • entities, migrations, subscribers options inside DataSourceOptions accepting string directories support is deprecated.
    You'll be only able to pass entity references in the future versions.

  • all container-related features (UseContainerOptions, ContainedType, ContainerInterface, defaultContainer,
    useContainer, getFromContainer) are deprecated.

  • EntityManager's getCustomRepository used within transactions is deprecated. Use withRepository method instead.

  • Connection.isConnected is deprecated. Use .isInitialized instead.

  • select in FindOptions (used in find* methods) used as an array of property names is deprecated.
    Now you should use a new object-literal notation. Example:

Deprecated way of loading entity relations:

userRepository.find({
    select: ["id", "firstName", "lastName"]
})

New way of loading entity relations:

userRepository.find({
    select: {
        id: true,
        firstName: true,
        lastName: true,
    }
})

This change is due to type-safety improvement new select signature brings.

  • relations in FindOptions (used in find* methods) used as an array of relation names is deprecated.
    Now you should use a new object-literal notation. Example:

Deprecated way of loading entity relations:

userRepository.find({
    relations: ["contacts", "photos", "photos.album"]
})

New way of loading entity relations:

userRepository.find({
    relations: {
        contacts: true,
        photos: {
            album: true
        }
    }
})

This change is due to type-safety improvement new relations signature brings.

  • join in FindOptions (used in find* methods) is deprecated. Use QueryBuilder to build queries containing manual joins.

  • Connection, ConnectionOptions are deprecated, new names to use are: DataSource and DataSourceOptions.
    To create the same connection you had before use a new syntax: new DataSource({ /*...*/ }).

  • createConnection(), createConnections() are deprecated, since Connection is called DataSource now, to create a connection and connect to the database
    simply do:

const myDataSource = new DataSource({ /*...*/ })
await myDataSource.connect()
  • getConnection() is deprecated. To have a globally accessible connection, simply export your data source and use it in places you need it:
export const myDataSource = new DataSource({ /*...*/ })
// now you can use myDataSource anywhere in your application
  • getManager(), getMongoManager(), getSqljsManager(), getRepository(), getTreeRepository(), getMongoRepository(), createQueryBuilder()
    are all deprecated now. Use globally accessible data source instead:
export const myDataSource = new DataSource({ /*...*/ })
export const Manager = myDataSource.manager
export const UserRepository = myDataSource.getRepository(UserEntity)
export const PhotoRepository = myDataSource.getRepository(PhotoEntity)
// ...
  • getConnectionManager() and ConnectionManager itself are deprecated - now Connection is called DataSource,
    and each data source can be defined in exported variable. If you want to have a collection
    of data sources, just define them in a variable, simply as:
const dataSource1 = new DataSource({ /*...*/ })
const dataSource2 = new DataSource({ /*...*/ })
const dataSource3 = new DataSource({ /*...*/ })

export const MyDataSources = {
    dataSource1,
    dataSource2,
    dataSource3,
}
  • getConnectionOptions() is deprecated - in next version we are going to implement different mechanism of connection options loading

  • AbstractRepository is deprecated. Use new way of custom repositories creation.

  • Connection.name and BaseConnectionOptions.name are deprecated. Connections don't need names anymore since we are going to drop all related methods relying on this property.

  • all deprecated signatures will be removed in 0.4.0

EXPERIMENTAL FEATURES NOT PORTED FROM NEXT BRANCH
  • observers - we will consider returning them back with new API in future versions
  • alternative find operators - using $any, $in, $like and other operators in where condition.

v0.2.45

Compare Source

Bug Fixes
Features

v0.2.44

Compare Source

Bug Fixes
Features

v0.2.43

Compare Source

Bug Fixes
  • support require to internal files without explicitly writing .js in the path (#​8660) (96aed8a), closes #​8656
Features
Reverts

v0.2.42

Compare Source

Bug Fixes
Features
Reverts
BREAKING CHANGES
  • update listeners and subscriber no longer triggered by soft-remove and recover

v0.2.41

Compare Source

Bug Fixes
Features

v0.2.40

Compare Source

Bug Fixes
  • BaseEntity finder methods to properly type-check lazy relations conditions (#​5710) (0665ff5)
Features
  • add depth limiter optional parameter when loading nested trees using TreeRepository's findTrees() and findDescendantsTree() (#​7926) (0c44629), closes #​3909
  • add upsert methods for the drivers that support onUpdate (#​8104) (3f98197), closes #​2363
  • Postgres IDENTITY Column support (#​7741) (969af95)
Reverts

v0.2.39

Compare Source

Bug Fixes
Features
Reverts

v0.2.38

Compare Source

Bug Fixes
Features

v0.2.37

Compare Source

Bug Fixes
Features

v0.2.36

Compare Source

Bug Fixes
  • add deprecated WhereExpression alias for WhereExpressionBuilder (#​7980) (76e7ed9)
  • always generate migrations with template string literals (#​7971) (e9c2af6)
  • use js rather than ts in all browser package manifests (#​7982) (0d90bcd)
  • use nvarchar/ntext during transit for SQLServer queries (#​7933) (62d7976)
Features

v0.2.35

Compare Source

Bug Fixes
  • entity to be Partial<Entity> | undefined in UpdateEvent (#​7783) (f033045)
  • actually return a working ReadStream from SQL Server query runner (#​7893) (e80985f)
  • added version check before dropping materialized views to keep backward compatibility (#​7716) (29f1f86)
  • allow for string id in mongo.findByIds call (#​7838) (4b45ae1)
  • better support of relation-based properties in where clauses (#​7805) (3221c50)
  • Buffer in primary columns causes bugs with relations (#​7952) (37e08a7), closes #​4060
  • capacitor does not correctly set journal mode (#​7873) (5f20eb7)
  • Capacitor driver PRAGMA requests failing on Android (#​7728) (9620a26)
  • condition is optional in SelectQueryBuilder joins (#​7888) (2deaa0e)
  • correctly handle mongo replica set driver option (#​7908) (9212df4)
  • correctly load yml in ConnectionOptionsYmlReader (#​7743) (57f9254)
  • craft oracle connectString as a descriptor with SID (#​7878) (b05d093)
  • delete operation in MongoDB impact all matched documents (#​7811) (0fbae53), closes #​7809
  • Do not add NULL/NOT NULL for stored columns (#​7708) (3c33e9f), closes #​7698
  • do OBJECT_ID lookup for column constraint instead of name in mssql (#​7916) (fa8c1b0)
  • drop pool.autostart from mssql options because it's unused (#​7877) (0d21a4d)
  • drop SAP statement after prepare per Hana client docs (#​7748) (8ca05b1)
  • eager relation respects children relations (#​5685) (e7e887a)
  • enable returning additional columns with MSSQL (#​7864) (e1db48d)
  • entity object undefined in afterUpdate subscriber (#​7724) (d25304d)
  • find operation in MongoDB do not include nullable values from documents (#​7820) (98c13cf), closes #​7760
  • fix table loading when schemas are used (3a106a3)
  • foreign keys in SAP were loading from the wrong table (#​7914) (4777a79)
  • handle postgres default when tableColumn.default is not string (#​7816) (0463855)
  • handle snake case of ABcD which should become a_bc_d (#​7883) (eb680f9)
  • improve query for MSSQL to fetch foreign keys and tables (#​7935) (f6af01a)
  • make OracleQueryRunner createDatabase if-not-exists not fail (f5a80ef)
  • only pass data from SaveOptions during that query (#​7886) (1de2e13)
  • oracle cannot support DB in table identifiers (#​7954) (8c60d91)
  • pass table to namingstrategy when we can instead of table name (#​7925) (140002d)
  • prevent modification of the FindOptions.relations ([#&#8203

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label May 7, 2021
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch 7 times, most recently from ae7b86f to ca34cac Compare May 14, 2021 19:40
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch 5 times, most recently from dfa3af4 to abae2b6 Compare December 26, 2021 15:38
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch 8 times, most recently from fa2280d to 7e702b6 Compare January 5, 2022 03:16
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch 2 times, most recently from f307afd to 8c8a7b1 Compare February 6, 2022 22:14
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch 5 times, most recently from 99fc516 to 3cd9a2c Compare February 17, 2022 19:36
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch 2 times, most recently from ed3c239 to 1563515 Compare February 27, 2022 15:35
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 1563515 to d086a0e Compare March 4, 2022 15:55
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from d086a0e to 2c32a64 Compare March 26, 2022 12:08
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 2c32a64 to 9bca389 Compare April 24, 2022 20:45
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 9bca389 to 52decd4 Compare May 15, 2022 21:42
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 52decd4 to 20dc72e Compare June 18, 2022 20:36
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 20dc72e to f61c257 Compare November 20, 2022 08:55
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from f61c257 to 1861bdc Compare March 17, 2023 03:46
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 1861bdc to 057366c Compare May 28, 2023 12:01
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 057366c to 2ad8949 Compare June 4, 2023 12:09
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 2ad8949 to 326c4a0 Compare June 29, 2023 12:09
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 326c4a0 to 50d263a Compare July 27, 2023 18:17
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 50d263a to bdd7698 Compare August 19, 2023 07:59
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from bdd7698 to a35f8ee Compare September 28, 2023 13:37
@renovate renovate bot changed the title Update dependency typeorm to v0.2.25 [SECURITY] Update dependency typeorm to v0.2.25 [SECURITY] - autoclosed Dec 19, 2023
@renovate renovate bot closed this Dec 19, 2023
@renovate renovate bot deleted the renovate/npm-typeorm-vulnerability branch December 19, 2023 11:02
@renovate renovate bot changed the title Update dependency typeorm to v0.2.25 [SECURITY] - autoclosed Update dependency typeorm to v0.2.25 [SECURITY] Dec 19, 2023
@renovate renovate bot reopened this Dec 19, 2023
@renovate renovate bot restored the renovate/npm-typeorm-vulnerability branch December 19, 2023 12:56
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from a35f8ee to 2460cdc Compare December 19, 2023 12:56
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from 2460cdc to b49e76b Compare February 25, 2024 09:31
@renovate renovate bot force-pushed the renovate/npm-typeorm-vulnerability branch from b49e76b to e7378da Compare March 21, 2024 19:09
@renovate renovate bot changed the title Update dependency typeorm to v0.2.25 [SECURITY] Update dependency typeorm to ^0.3.0 [SECURITY] Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants