Update dependency typeorm to ^0.3.0 [SECURITY] #68

renovate · 2024-03-21T23:36:45Z

This PR contains the following updates:

Package	Change	Age	Confidence
typeorm (source)	`^0.2.28` -> `^0.3.0`

GitHub Vulnerability Alerts

CVE-2022-33171

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.

CVE-2025-60542

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Release Notes

typeorm/typeorm (typeorm)

`v0.3.26`

Compare Source

Notes:

When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

add stricter type-checking and improve event loop handling (#11540) (01dddfe)
do not create junction table metadata when it already exists (#11114) (3c26cf1)
mysql: set stringifyObjects implicitly (#11574) (d57fe3b)
mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#11555) (1737e97)
oracle: pass duplicated parameters correctly to the client when executing a query (#11537) (f2d2236)
platform[web worker]: improve globalThis variable retrieval for browser environment (#11495) (ec26eae)
preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#10679) (66ee307), closes #10678 #10678
regtype is not supported in aurora serverless v2 (#11568) (6e9f20d)
resolve array modification bug in QueryRunner drop methods (#11564) (f351757), closes #11563
support for better-sqlite3 v12 (#11557) (1ea3a5e)

Features

add Redis 5.x support with backward compatibility with peer dependency to allow (#11585) (17cf837), closes #11528
sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#11526) (abf8863)
sap: use the native driver for connection pooling (#11520) (aebc7eb)
support virtual columns in entity schema (#11597) (d1e3950)

Performance Improvements

avoid unnecessary count on getManyAndCount (#11524) (5904ac3)

`v0.3.25`

Compare Source

Bug Fixes

add collation update detection in PostgresDriver (#11441) (24c3e38), closes #8647 #8647
fix null pointer exception on date array column comparison (#11532) (42e7cbe)
handle limit(0) and offset(0) correctly in SelectQueryBuilder (#11507) (413f0a6)
improve async calls on disconnect (#11523) (ead4f98)
multiple relations with same column name(s) generate invalid SELECT statement (#11400) (63a3b9a), closes #1668 #9788 #9814 #10121 #10148 #11109 #11132 #11180
postgres: resolve alias or table name in upsert/insert or update conditionally (#11452) (2bfa300), closes #11082 #11440
tree-entity: closure junction table primary key definition should match parent table (#11422) (ce23d46)
docs: fix up doc search workflow (#11513) (930eefd)

Features

add upsert support for Oracle, SQLServer and SAP HANA (#10974) (a9c16ee)
spanner: use credentials from connection options (#11492) (07d7913), closes #11442
docs: add typesense/docsearch-scraper (#11424) (65d5a00)
docs: add Plausible analytics script to Docusaurus config (#11517) (86f12c9)

`v0.3.24`

Compare Source

Bug Fixes

capacitor use query to run PRAGMA statements (#11467) (d325d9e)
ci: resolve pkg.pr.new publish failure (2168441)
mssql: avoid mutating input parameter array values (#11476) (b8dbca5)

Features

add tagged template for executing raw SQL queries (#11432) (c464ff8)
add updateAll and deleteAll methods to EntityManager and Repository APIs (#11459) (23bb1ee)
spanner: support insert returning (#11460) (144634d), closes #11453

Performance Improvements

improve save performance during entities update (15de733)

`v0.3.23`

Compare Source

⚠️ Note on a breaking change

This release includes a technically breaking change (from this PR) in the behaviour of the delete and update methods of the EntityManager and Repository APIs, when an empty object is supplied as the criteria:

await repository.delete({})
await repository.update({}, { foo: 'bar' })

Old behaviour was to delete or update all rows in the table
New behaviour is to throw an error: Empty criteria(s) are not allowed for the delete/update method.

Why?

This behaviour was not documented and is considered dangerous as it can allow a badly-formed object (e.g. with an undefined id) to inadvertently delete or update the whole table.

When the intention actually was to delete or update all rows, such queries can be rewritten using the QueryBuilder API:

await repository.createQueryBuilder().delete().execute()
// executes: DELETE FROM table_name
await repository.createQueryBuilder().update().set({ foo: 'bar' }).execute()
// executes: UPDATE table_name SET foo = 'bar'

An alternative method for deleting all rows is to use:

await repository.clear()
// executes: TRUNCATE TABLE table_name

Bug Fixes

beforeQuery promises not awaited before query execution (#11086) (b9842e3), closes #11085 #11085
change how array columns are compared on column changed detection (#11269) (a61654e), closes #5967
cleanup after streaming in sap hana (#11399) (fadad1a)
mongo: propagate aggregate method's generic type to its returned cursor (#10754) (56f1898)
prevent error when replication is undefined (#11423) (61a6f97)
update/delete/softDelete by criteria of condition objects (#10910)

Features

add FormattedConsoleLogger (#11401) (4c8fc3a), closes #10801
add new foreign key decorator, and entity schemas options (#11144) (6ebae3b), closes #4569
Add query timeout support for MySql (#10846) (046aebe)
generate ESM migrations via esm flag (#10802) (7c5ea99), closes #10801
publish PR releases using pkg.pr.new (274bdf2)

Performance Improvements

query-runner: use Date.now() instead of +new Date() (#10811) (fe71a0c)

`v0.3.22`

Compare Source

Bug Fixes

bulk insert NULL values in Oracle (#11363) (bcaa0bf)
ensure correct MSSQL parameter conversion in where conditions (ecae9f5), closes #11285
export QueryEvent before/after types (#10688) (03dbc7a)
FindOptionsSelect to use correct type when property is an object (#11355) (834e856)
incorrect table alias in insert orUpdate with Postgres driver (#11082) (72c6991), closes #11077
inverse relation metadata not cyclic (50a660a)
remove unnecessary import from JS migration (#11327) (72145b8)
remove unnecessary spaces in message when running non-fake migrations (#10809) (c3bebdc)
sap: incorrect handling of simple array/json data type (#11322) (27b4207)
sap: normalize deprecated/removed data types in SAP HANA Cloud (#11356) (460ef02)
sap: pass the configured schema to the db client (#11321) (04ca83a)
sql escape issues identified by CodeQL (#11338) (863caf1)
update mongodb connection options (#11310) (81bb9d5)
version detection for Postgres derived variants (#11375) (3d79786)

Features

postgres: support macaddr8 column type (b0ea913)
Send DriverInfo to MongoDB client (#11214) (a29e047)
Support Expo SQLite Next (7b242e1)

Reverts

Revert "fix: nested transactions issues (#10210)" (7aa4f3c), closes #10210

`v0.3.21`

Compare Source

Bug Fixes

Add support for better-sqlite3 v10 and 11 (#11096) (6c0c2ba)
composite key save issue (#10672) (83567f5)
moved reflect-metadata to peerDependencies and set version to "^0.1.14 || ^0.2.0" (#10779) (e7649d2)
npm-readme: resolve missing image file (#11290) (c554f58)
npm-readme: resolve missing image file pt. 2 (#11291) (981cf82)
Update mssql allowed version to fix vulnerability. (#10933) (3a51160)
Fix maximum call stack error (#10733) (7a384be0)
use sql-highlight instead of cli-highlight (#11221) (1516cfe)

Performance Improvements

improve results transformer performance (#10349) (7bea198)

`v0.3.20`

Compare Source

Bug Fixes

added missing parentheses in where conditions (#10650) (4624930), closes #10534
don't escape indexPredicate (#10618) (dd49a25)
fallback runMigrations transaction to DataSourceOptions (#10601) (0cab0dd)
hangup when load relations with relationLoadStrategy: query (#10630) (54d8d9e), closes #10481
include asExpression columns in returning clause (#10632) (f232ba7), closes #8450 #8450
multiple insert in SAP Hana (#10597) (1b34c9a)
resolve issue CREATE/DROP Index concurrently (#10634) (8aa8690), closes #10626
type inferencing of EntityManager#create (#10569) (99d8249)

Features

add json type support for Oracle (#10611) (7e85460)
add postgres multirange column types (#10627) (d0b7670), closes #10556
add table comment for postgres (#10613) (4493db4)

Reverts

Revert "fix: prevent using absolute table path in migrations unless required (#10123)" (#10624) (8f371f2), closes #10123 #10624
revert "feat: nullable embedded entities (#10289)" (#10614) (15de46f), closes #10289 #10614

`v0.3.19`

Compare Source

Bug Fixes

fixed Cannot read properties of undefined (reading 'sync') caused after glob package upgrade

`v0.3.18`

Compare Source

Bug Fixes

add BaseEntity to model-shim (#10503) (3cf938e)
add error handling for missing join columns (#10525) (122c897), closes #7034
add missing export for View class (#10261) (7adbc9b)
added fail callback while opening the database in Cordova (#10566) (8b4df5b)
aggregate function throw error when column alias name is set (#10035) (022d2b5), closes #9927
backport postgres connection error handling to crdb (#10177) (149226d)
bump better-sqlite3 version range (#10452) (75ec8f2)
caching always enabled not caching queries (#10524) (8af533f)
circular dependency breaking node.js 20.6 (#10344) (ba7ad3c), closes #10338
correctly keep query.data from ormOption for commit / rollback subscribers (#10151) (73ee70b)
default value in child table/entity column decorator for multiple table inheritance is ignored for inherited columns (#10563) (#10564) (af77a5d)
deletedAt column leaking as side effect of object update while creating a row (#10435) (7de4890)
empty objects being hydrated when eager loading relations that have a @VirtualColumn (#10432) (b53e410), closes #10431
extend GiST index with range types for Postgres driver (#10572) (a4900ae), closes #10567
ignore changes for columns with update: false in persistence (#10250) (f8fa1fd), closes #10249
improve helper for cli for commands missing positionals (#10133) (9f8899f)
loading datasource unable to process a regular default export (#10184) (201342d), closes #8810
logMigration has incorrect logging condition (#10323) (d41930f), closes #10322 #10322
ManyToMany ER_DUP_ENTRY error (#10343) (e296063), closes #5704
migrations on indexed TIMESTAMP WITH TIME ZONE Oracle columns (#10506) (cf37f13), closes #10493
mongodb - undefined is not constructor (#10559) (ad5bf11)
mongodb resolves leaked cursor (#10316) (2dc9624), closes #10315
mssql datasource testonborrow not affecting anything (#10589) (122b683)
nested transactions issues (#10210) (25e6ecd)
prevent using absolute table path in migrations unless required (#10123) (dd59524)
remove date-fns in favor of DayJs (#10306) (cf7147f)
remove dynamic require calls (#10196) (a939654)
resolve circular dependency when using Vite (#10273) (080528b)
resolve issue building eager relation alias for nested relations (#10004) (c6f608d), closes #9944
resolve issue of generating migration for numeric arrays repeatedly (#10471) (39fdcf6), closes #10043
resolve issue queryBuilder makes different parameter identifiers for same parameter (#10327) (6c918ea), closes #7308
resolve issues on upsert (#10588) (dc1bfed), closes #10587
scrub all comment end markers from comments (#10163) (d937f61)
serialize bigint when building a query id #10336 (#10337) (bfc1cc5)
should automatically cache if alwaysEnable (#10137) (173910e), closes #9910
SQLite simple-enum column parsing (#10550) (696e688)
update UpdateDateColumn on upsert (#10458) (fdb9866), closes #9015
upgrade ts-node version to latest(10.9.1) version (#10143) (fcb9904)
using async datasource to configure typeorm (#10170) (fbd45db)

Features

ability to change default replication mode (#10419) (72b1d1b)
add concurrent indexes for postgres (#10442) (f4e6eaf)
add exists and exists by (#10291) (b6b46fb)
add isolated where statements (#10213) (3cda7ec)
add MSSQL disableAsciiToUnicodeParamConversion option and tests (#10161) (df7c069), closes #10131
add support for mssql server DefaultAzureCredential usage (#10246) (c8ee5b1)
add support for table comment in MySQL (#10017) (338df16)
allow to use custom type witch extends object type for find where argument (#10475) (48f5f85)
BeforeQuery and AfterQuery events (#10234) (5c28154), closes #3302
custom STI discriminator value for EntitySchema (#10508) (b240d87), closes #10494
enabled CTE for oracle driver (#10319) (65858f3)
entityId in InsertEvent (#10540) (ae006af)
expose countDocuments in mongodb (#10314) (ebd61d1)
exposed entity and criteria properties on EntityNotFoundError (#10202) (bafcd17)
implement column comments for SAP HANA (#10502) (45e31cc)
implement OR operator (#10086) (a00b1df), closes #10054 #10054 #10054 #10054 #10054 #10054 #10054
implement streaming for SAP HANA (#10512) (7e9cead)
implements QueryFailedError generic for driverError typing (#10253) (78b2f48)
modify repository.extend method for chaining repositories (#10256) (ca29c0f)
nullable embedded entities (#10289) (e67d704)
support for MongoDB 6.x (#10545) (3647b26)
support mssql@10 (#10356) (f6bb671), closes #10340
use node-oracledb 6 (#10285) (3af891a), closes #10277
user-defined index name for STI discriminator column (#10509) (89c5257), closes #10496

Performance Improvements

improve SapQueryRunner performance (#10198) (f6b87e3)

BREAKING CHANGES

With node-oracledb the thin client is used as default. Added a option to use the thick client. Also added the option to specify the instant client lib
MongoDB: from the previous behavior of returning a result with metadata describing when a document is not found.
See: https://github.com/mongodb/node-mongodb-native/blob/HEAD/etc/notes/CHANGES_6.0.0.md
new nullable embeds feature introduced a breaking change which might enforce you to update types on your entities to | null,
if all columns in your embed entity are nullable. Since database queries now return embedded property as null if all its column values are null.

`v0.3.17`

Compare Source

Bug Fixes

#10040 TypeORM synchronize database even if it is up to date (#10041) (b1a3a39)
add missing await (#10084) (f5d4397)

`v0.3.16`

Compare Source

Bug Fixes

add trustServerCertificate option to SqlServerConnectionOptions (#9985) (0305805), closes #8093
add directConnection options to MongoDB connection (#9955) (e0165e7)
add onDelete option validation for oracle (#9786) (938f94b), closes #9189
added instanceName to options (#9968) (7c5627f)
added transaction retry logic in cockroachdb (#10032) (607d6f9)
allow json as alias for longtext mariadb (#10018) (2a2bb4b)
convert the join table ID to the referenceColumn ID type (#9887) (9460296)
correct encode mongodb auth credentials (#10024) (96b7ee4), closes #9885
create correct children during cascade saving entities with STI (#9034) (06c1e98), closes #7758 #7758 #9033 #9033 #7758 #7758
express option bug in init command (#10022) (5be20e2)
for running cli-ts-node-esm use exit code from child process (#10030) (a188b1d), closes #10029
mongodb typings breaks the browser version (#9962) (99bef49), closes #9959
RelationIdLoader has access to queryPlanner when wrapped in transaction (#9990) (21a9d67), closes #9988
resolve duplicate subscriber updated columns (#9958) (3d67901), closes #9948
select + addOrderBy broke in 0.3.14 (#9961) (0e56f0f), closes #9960
support More/LessThanOrEqual in relations (#9978) (8795c86)

Features

mariadb uuid inet4 inet6 column data type support (#9845) (d8a2e37)

Reverts

"refactor: remove date-fns package (#9634)" (54f4f89)

`v0.3.15`

Compare Source

Bug Fixes

make cache optional fields optional (#9942) (159c60a)
prevent unique index identical to primary key (all sql dialects) (#9940) (51eecc2)
SelectQueryBuilder builds incorrectly escaped alias in Oracle when used on entity with composite key (#9668) (83c6c0e)

Features

support for the latest mongodb v5 (#9925) (f6a3ce7), closes #7907 #7907

`v0.3.14`

Compare Source

Bug Fixes

add trustServerCertificate option to SqlServerConnectionOptions (#9985) (0305805), closes #8093
add directConnection options to MongoDB connection (#9955) (e0165e7)
add onDelete option validation for oracle (#9786) (938f94b), closes #9189
added instanceName to options (#9968) (7c5627f)
added transaction retry logic in cockroachdb (#10032) (607d6f9)
allow json as alias for longtext mariadb (#10018) (2a2bb4b)
convert the join table ID to the referenceColumn ID type (#9887) ([9460296](https:/

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2024-03-21T23:36:46Z

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/class-transformer
npm ERR!   class-transformer@"^0.3.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer class-transformer@"^0.2.3" from [email protected]
npm ERR! node_modules/routing-controllers
npm ERR!   routing-controllers@"^0.8.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/class-transformer
npm ERR!   peer class-transformer@"^0.2.3" from [email protected]
npm ERR!   node_modules/routing-controllers
npm ERR!     routing-controllers@"^0.8.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-03-21T23_36_36_948Z-debug-0.log

renovate · 2025-08-10T13:44:32Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/class-transformer
npm ERR!   class-transformer@"^0.3.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer class-transformer@"^0.2.3" from [email protected]
npm ERR! node_modules/routing-controllers
npm ERR!   routing-controllers@"^0.8.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/class-transformer
npm ERR!   peer class-transformer@"^0.2.3" from [email protected]
npm ERR!   node_modules/routing-controllers
npm ERR!     routing-controllers@"^0.8.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2025-10-31T19_55_02_027Z-debug-0.log

Update dependency typeorm to ^0.3.0 [SECURITY]

4b5566e

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update dependency typeorm to ^0.3.0 [SECURITY] #68

Update dependency typeorm to ^0.3.0 [SECURITY] #68

Uh oh!

renovate bot commented Mar 21, 2024 •

edited

Loading

Uh oh!

renovate bot commented Mar 21, 2024

Uh oh!

renovate bot commented Aug 10, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Update dependency typeorm to ^0.3.0 [SECURITY] #68

Are you sure you want to change the base?

Update dependency typeorm to ^0.3.0 [SECURITY] #68

Uh oh!

Conversation

renovate bot commented Mar 21, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Details

Release Notes

Bug Fixes

Features

Performance Improvements

Bug Fixes

Features

Bug Fixes

Features

Performance Improvements

⚠️ Note on a breaking change

Bug Fixes

Features

Performance Improvements

Bug Fixes

Features

Reverts

Bug Fixes

Performance Improvements

Bug Fixes

Features

Reverts

Bug Fixes

Bug Fixes

Features

Performance Improvements

BREAKING CHANGES

Bug Fixes

Bug Fixes

Features

Reverts

Bug Fixes

Features

Bug Fixes

Configuration

Uh oh!

renovate bot commented Mar 21, 2024

⚠ Artifact update problem

File name: package-lock.json

Uh oh!

renovate bot commented Aug 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: package-lock.json

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Mar 21, 2024 •

edited

Loading

renovate bot commented Aug 10, 2025 •

edited

Loading