build(deps): update dependency typeorm to v0.3.26 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
typeorm (source)	0.3.25 → 0.3.26

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2025-60542

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

---

Release Notes

typeorm/typeorm (typeorm)

v0.3.26

Compare Source

Notes:

• When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
  in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
• When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
  is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

• add stricter type-checking and improve event loop handling (#​11540) (01dddfe)
• do not create junction table metadata when it already exists (#​11114) (3c26cf1)
• mysql: set stringifyObjects implicitly (#​11574) (d57fe3b)
• mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#​11555) (1737e97)
• oracle: pass duplicated parameters correctly to the client when executing a query (#​11537) (f2d2236)
• platform[web worker]: improve globalThis variable retrieval for browser environment (#​11495) (ec26eae)
• preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#​10679) (66ee307), closes #​10678 #​10678
• regtype is not supported in aurora serverless v2 (#​11568) (6e9f20d)
• resolve array modification bug in QueryRunner drop methods (#​11564) (f351757), closes #​11563
• support for better-sqlite3 v12 (#​11557) (1ea3a5e)

Features

• add Redis 5.x support with backward compatibility with peer dependency to allow (#​11585) (17cf837), closes #​11528
• sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#​11526) (abf8863)
• sap: use the native driver for connection pooling (#​11520) (aebc7eb)
• support virtual columns in entity schema (#​11597) (d1e3950)

Performance Improvements

• avoid unnecessary count on getManyAndCount (#​11524) (5904ac3)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.