-
-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency typeorm to ^0.3.0 [SECURITY] #1183
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-typeorm-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
7 times, most recently
from
May 14, 2021 19:40
ae7b86f
to
ca34cac
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
5 times, most recently
from
December 26, 2021 15:38
dfa3af4
to
abae2b6
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
8 times, most recently
from
January 5, 2022 03:16
fa2280d
to
7e702b6
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
2 times, most recently
from
February 6, 2022 22:14
f307afd
to
8c8a7b1
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
5 times, most recently
from
February 17, 2022 19:36
99fc516
to
3cd9a2c
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
2 times, most recently
from
February 27, 2022 15:35
ed3c239
to
1563515
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
March 4, 2022 15:55
1563515
to
d086a0e
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
March 26, 2022 12:08
d086a0e
to
2c32a64
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
April 24, 2022 20:45
2c32a64
to
9bca389
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
May 15, 2022 21:42
9bca389
to
52decd4
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
June 18, 2022 20:36
52decd4
to
20dc72e
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
November 20, 2022 08:55
20dc72e
to
f61c257
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
March 17, 2023 03:46
f61c257
to
1861bdc
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
May 28, 2023 12:01
1861bdc
to
057366c
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
June 4, 2023 12:09
057366c
to
2ad8949
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
June 29, 2023 12:09
2ad8949
to
326c4a0
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
July 27, 2023 18:17
326c4a0
to
50d263a
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
August 19, 2023 07:59
50d263a
to
bdd7698
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
September 28, 2023 13:37
bdd7698
to
a35f8ee
Compare
renovate
bot
changed the title
Update dependency typeorm to v0.2.25 [SECURITY]
Update dependency typeorm to v0.2.25 [SECURITY] - autoclosed
Dec 19, 2023
renovate
bot
changed the title
Update dependency typeorm to v0.2.25 [SECURITY] - autoclosed
Update dependency typeorm to v0.2.25 [SECURITY]
Dec 19, 2023
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
December 19, 2023 12:56
a35f8ee
to
2460cdc
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
February 25, 2024 09:31
2460cdc
to
b49e76b
Compare
renovate
bot
force-pushed
the
renovate/npm-typeorm-vulnerability
branch
from
March 21, 2024 19:09
b49e76b
to
e7378da
Compare
renovate
bot
changed the title
Update dependency typeorm to v0.2.25 [SECURITY]
Update dependency typeorm to ^0.3.0 [SECURITY]
Mar 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.2.22
->^0.3.0
GitHub Vulnerability Alerts
CVE-2020-8158
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
CVE-2022-33171
The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.
Release Notes
typeorm/typeorm (typeorm)
v0.3.0
Compare Source
Changes in the version includes changes from the
next
branch andtypeorm@next
version.They were pending their migration from 2018. Finally, they are in the master branch and master version.
Features
compilation
target
now ises2020
. This requires Node.JS version14+
TypeORM now properly works when installed within different node_modules contexts
(often happen if TypeORM is a dependency of another library or TypeORM is heavily used in monorepo projects)
Connection
was renamed toDataSource
.Old
Connection
is still there, but now it's deprecated. It will be completely removed in next version.New API:
Previously, you could use
new Connection()
,createConnection()
,getConnectionManager().create()
, etc.They all deprecated in favour of new syntax you can see above.
New way gives you more flexibility and simplicity in usage.
Old ways of custom repository creation were dropped.
added new option on relation load strategy called
relationLoadStrategy
.Relation load strategy is used on entity load and determines how relations must be loaded when you query entities and their relations from the database.
Used on
find*
methods andQueryBuilder
. Value can be set tojoin
orquery
.join
- loads relations using SQLJOIN
expressionquery
- executes separate SQL queries for each relationDefault is
join
, but default can be set inConnectionOptions
:Also, it can be set per-query in
find*
methods:And QueryBuilder:
For queries returning big amount of data, we recommend to use
query
strategy,because it can be a more performant approach to query relations.
findOneBy
,findOneByOrFail
,findBy
,countBy
,findAndCountBy
methods toBaseEntity
,EntityManager
andRepository
:Overall
find*
andcount*
method signatures where changed, read the "breaking changes" section for more info.select
type signature inFindOptions
(used infind*
methods):Also, now it's possible to specify select columns of the loaded relations:
relations
type signature inFindOptions
(used infind*
methods):To load nested relations use a following signature:
order
type signature inFindOptions
(used infind*
methods):Now supports nested order by-s:
where
type signature inFindOptions
(used infind*
methods) now allows to build nested statements with conditional relations, for example:Gives you users who have photos in their "profile" album.
FindOperator
-s can be applied for relations inwhere
statement, for example:Gives you users with more than 10 photos.
boolean
can be applied for relations inwhere
statement, for example:BREAKING CHANGES
minimal Node.JS version requirement now is
14+
drop
ormconfig
support.ormconfig
still works if you use deprecated methods,however we do not recommend using it anymore, because it's support will be completely dropped in
0.4.0
.If you want to have your connection options defined in a separate file, you can still do it like this:
Or even more type-safe approach with
resolveJsonModule
intsconfig.json
enabled:But we do not recommend use this practice, because from
0.4.0
you'll only be able to specify entities / subscribers / migrations using direct references to entity classes / schemas (see "deprecations" section).We won't be supporting all
ormconfig
extensions (e.g.json
,js
,ts
,yaml
,xml
,env
).support for previously deprecated
migrations:*
commands was removed. Usemigration:*
commands instead.all commands were re-worked. Please refer to new CLI documentation.
cli
option fromBaseConnectionOptions
(nowBaseDataSourceOptions
options) was removed (since CLI commands were re-worked).now migrations are running before schema synchronization if you have both pending migrations and schema synchronization pending
(it works if you have both
migrationsRun
andsynchronize
enabled in connection options).aurora-data-api
driver now is calledaurora-mysql
aurora-data-api-pg
driver now is calledaurora-postgres
EntityManager.connection
is nowEntityManager.dataSource
Repository
now has a constructor (breaks classes extending Repository with custom constructor)@TransactionRepository
,@TransactionManager
,@Transaction
decorators were completely removed. These decorators do the things out of the TypeORM scope.Only junction table names shortened.
MOTIVATION: We must shorten only table names generated by TypeORM.
It's user responsibility to name tables short if their RDBMS limit table name length
since it won't make sense to have table names as random hashes.
It's really better if user specify custom table name into
@Entity
decorator.Also, for junction table it's possible to set a custom name using
@JoinTable
decorator.findOne()
signature without parameters was dropped.If you need a single row from the db you can use a following syntax:
This change was made to prevent user confusion.
See this issue for details.
findOne(id)
signature was dropped. Use following syntax instead:This change was made to provide a more type-safe approach for data querying.
Due to this change you might need to refactor the way you load entities using MongoDB driver.
findOne
,findOneOrFail
,find
,count
,findAndCount
methods now only acceptFindOptions
as parameter, e.g.:To supply
where
conditions directly withoutFindOptions
new methods were added:findOneBy
,findOneByOrFail
,findBy
,countBy
,findAndCountBy
. Example:This change was required to simply current
find*
andcount*
methods typings,improve type safety and prevent user confusion.
findByIds
was deprecated, usefindBy
method instead in conjunction withIn
operator, for example:This change was made to provide a more type-safe approach for data querying.
findOne
andQueryBuilder.getOne()
now returnnull
instead ofundefined
in the case if it didn't find anything in the database.Logically it makes more sense to return
null
.findOne
now limits returning rows to 1 at database level.NOTE:
FOR UPDATE
locking does not work withfindOne
in Oracle sinceFOR UPDATE
cannot be used withFETCH NEXT
in a single query.where
inFindOptions
(e.g.find({ where: { ... })
) is more sensitive to input criteria now.FindConditions
(where
inFindOptions
) was renamed toFindOptionsWhere
.null
as value inwhere
used infind*
methods is not supported anymore.Now you must explicitly use
IsNull()
operator.Before:
After:
This change was made to make it more transparent on how to add "IS NULL" statement to final SQL,
because before it bring too much confusion for ORM users.
then you won't be able to use it in
find*
'swhere
. Example:Before for the
@Column(/*...*/) membership: MembershipKind
you could have a query like:now, you need to wrap this value into
Equal
operator:This change is due to type-safety improvement new
where
signature brings.order
inFindOptions
(used infind*
methods) doesn't support ordering by relations anymore.Define relation columns, and order by them instead.
where
inFindOptions
(used infind*
methods) previously supportedObjectLiteral
andstring
types.Now both signatures were removed. ObjectLiteral was removed because it seriously breaks the type safety,
and
string
doesn't make sense in the context ofFindOptions
. UseQueryBuilder
instead.MongoRepository
andMongoEntityManager
now use new types calledMongoFindManyOptions
andMongoFindOneOptions
for their
find*
methods.primary relation
(e.g.@ManyToOne(() => User, { primary: true }) user: User
) support is removed.You still have an ability to use foreign keys as your primary keys,
however now you must explicitly define a column marked as primary.
Example, before:
Now:
Primary column name must match the relation name + join column name on related entity.
If related entity has multiple primary keys, and you want to point to multiple primary keys,
you can define multiple primary columns the same way:
This change was required to simplify ORM internals and introduce new features.
prefix relation id columns contained in embedded entities (#7432)
find by Date object in sqlite driver (#7538)
issue with non-reliable
new Date(ISOString)
parsing (#7796)DEPRECATIONS
all CLI commands do not support
ormconfig
anymore. You must specify a file with data source instance instead.entities
,migrations
,subscribers
options insideDataSourceOptions
acceptingstring
directories support is deprecated.You'll be only able to pass entity references in the future versions.
all container-related features (
UseContainerOptions
,ContainedType
,ContainerInterface
,defaultContainer
,useContainer
,getFromContainer
) are deprecated.EntityManager's
getCustomRepository
used within transactions is deprecated. UsewithRepository
method instead.Connection.isConnected
is deprecated. Use.isInitialized
instead.select
inFindOptions
(used infind*
methods) used as an array of property names is deprecated.Now you should use a new object-literal notation. Example:
Deprecated way of loading entity relations:
New way of loading entity relations:
This change is due to type-safety improvement new
select
signature brings.relations
inFindOptions
(used infind*
methods) used as an array of relation names is deprecated.Now you should use a new object-literal notation. Example:
Deprecated way of loading entity relations:
New way of loading entity relations:
This change is due to type-safety improvement new
relations
signature brings.join
inFindOptions
(used infind*
methods) is deprecated. UseQueryBuilder
to build queries containing manual joins.Connection
,ConnectionOptions
are deprecated, new names to use are:DataSource
andDataSourceOptions
.To create the same connection you had before use a new syntax:
new DataSource({ /*...*/ })
.createConnection()
,createConnections()
are deprecated, sinceConnection
is calledDataSource
now, to create a connection and connect to the databasesimply do:
getConnection()
is deprecated. To have a globally accessible connection, simply export your data source and use it in places you need it:getManager()
,getMongoManager()
,getSqljsManager()
,getRepository()
,getTreeRepository()
,getMongoRepository()
,createQueryBuilder()
are all deprecated now. Use globally accessible data source instead:
getConnectionManager()
andConnectionManager
itself are deprecated - nowConnection
is calledDataSource
,and each data source can be defined in exported variable. If you want to have a collection
of data sources, just define them in a variable, simply as:
getConnectionOptions()
is deprecated - in next version we are going to implement different mechanism of connection options loadingAbstractRepository
is deprecated. Use new way of custom repositories creation.Connection.name
andBaseConnectionOptions.name
are deprecated. Connections don't need names anymore since we are going to drop all related methods relying on this property.all deprecated signatures will be removed in
0.4.0
EXPERIMENTAL FEATURES NOT PORTED FROM NEXT BRANCH
observers
- we will consider returning them back with new API in future versionsalternative find operators
- using$any
,$in
,$like
and other operators inwhere
condition.v0.2.45
Compare Source
Bug Fixes
Features
v0.2.44
Compare Source
Bug Fixes
Features
{delete,insert}().returning()
on MariaDB (#8673) (7facbab), closes #7235 #7235v0.2.43
Compare Source
Bug Fixes
require
to internal files without explicitly writing.js
in the path (#8660) (96aed8a), closes #8656Features
Reverts
v0.2.42
Compare Source
Bug Fixes
uuid
library (#8642) (8898a71)update: false
columns shouldn't trigger @UpdateDateColumn column updation (2834729), closes #8394 #8394 #8394Features
Reverts
BREAKING CHANGES
v0.2.41
Compare Source
Bug Fixes
retryWrites
toMongoConnectionOptions
(#8354) (c895680), closes #7869UNIQUE
constraints detection (#8364) (29cb891), closes #8158Features
v0.2.40
Compare Source
Bug Fixes
Features
Reverts
v0.2.39
Compare Source
Bug Fixes
Features
typeorm
command wrapper to package.json in project template (#8081) (19d4a91)Reverts
v0.2.38
Compare Source
Bug Fixes
Features
v0.2.37
Compare Source
Bug Fixes
connections
property should include list ofConnection
s (#8004) (2344db6)Features
v0.2.36
Compare Source
Bug Fixes
WhereExpression
alias forWhereExpressionBuilder
(#7980) (76e7ed9)browser
package manifests (#7982) (0d90bcd)Features
applicationName
(#7989) (d365acc)v0.2.35
Compare Source
Bug Fixes
entity
to bePartial<Entity>
|undefined
inUpdateEvent
(#7783) (f033045)prepare
per Hana client docs (#7748) (8ca05b1)afterUpdate
subscriber (#7724) (d25304d)OracleQueryRunner
createDatabase if-not-exists not fail (f5a80ef)data
from SaveOptions during that query (#7886) (1de2e13)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.