add @IsTimeZone decorator to check if given string is valid IANA time zone
add @IsISO4217CurrencyCode decorator to check if the string is an ISO 4217 currency code
add @IsStrongPassword decorator to check if given password matches specific complexity criteria
add @IsBase58 decorator to check if a string is base58 encoded
add @IsTaxId decorator to check if a given string is a valid tax ID in a given locale
add support for passing function as date generator in @MinDate and @MaxDate decorators
add option to print constraint error message instead of constraint type in validation error
improve decorator metadata lookup performance
return possible values in error message for @IsEnum decorator
Fixed
re-added @types/validator as dependency
fix error generation when using @NestedValidation
pass validation options correctly to validator in @IsDateString decorator
support passing Symbol as parameter in error message generation
specify supported locales for @IsAlphanumeric decorator
correctly assign decorator name in metadata instead of loosing it
fix various spelling errors in documentation
fix various spelling errors and inconsistencies in JSDoc for decorators
Changed
enable forbidUnknownValues option by default
remove documentation about deprecated schema based validation and added warning
update warning message logged about missing decorator metadata
update libphonenumber-js to ^1.10.14 from ^1.9.43
update various dev-dependencies
BREAKING CHANGES
forbidUnknownValues option is enabled by default
From this release the forbidUnknownValues is enabled by default. This is the desired behavior for majority of
use-cases, but this change may break validation for some. The two scenarios that results in failed validation:
when attempting to validate a class instance without metadata for it
when using group validation and the specified validation group results in zero validation applied
The old behavior can be restored via specifying forbidUnknownValues: false option when calling the validate functions.
Fixes a ReDOS regression (#458) - see #797 for details.
4.3.0
Minor release
Deprecated debugInstance.destroy(). Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
Fixed quoted percent sign
Fixed memory leak within debug instances that are created dynamically
4.2.0
Minor Release
Replaced phantomJS with chrome backend for browser tests
Deprecated and later removed Changelog.md in lieu of releases page
Changes in the version includes changes from the next branch and typeorm@next version.
They were pending their migration from 2018. Finally, they are in the master branch and master version.
Features
compilation target now is es2020. This requires Node.JS version 14+
TypeORM now properly works when installed within different node_modules contexts
(often happen if TypeORM is a dependency of another library or TypeORM is heavily used in monorepo projects)
Connection was renamed to DataSource.
Old Connection is still there, but now it's deprecated. It will be completely removed in next version.
New API:
// load entities, establish db connection, sync schema, etc.
await dataSource.connect()
Previously, you could use new Connection(), createConnection(), getConnectionManager().create(), etc.
They all deprecated in favour of new syntax you can see above.
New way gives you more flexibility and simplicity in usage.
Old ways of custom repository creation were dropped.
added new option on relation load strategy called relationLoadStrategy.
Relation load strategy is used on entity load and determines how relations must be loaded when you query entities and their relations from the database.
Used on find* methods and QueryBuilder. Value can be set to join or query.
Changes in the version includes changes from the next branch and typeorm@next version.
They were pending their migration from 2018. Finally, they are in the master branch and master version.
Features
compilation target now is es2020. This requires Node.JS version 14+
TypeORM now properly works when installed within different node_modules contexts
(often happen if TypeORM is a dependency of another library or TypeORM is heavily used in monorepo projects)
Connection was renamed to DataSource.
Old Connection is still there, but now it's deprecated. It will be completely removed in next version.
New API:
// load entities, establish db connection, sync schema, etc.
await dataSource.connect()
Previously, you could use new Connection(), createConnection(), getConnectionManager().create(), etc.
They all deprecated in favour of new syntax you can see above.
New way gives you more flexibility and simplicity in usage.
Old ways of custom repository creation were dropped.
added new option on relation load strategy called relationLoadStrategy.
Relation load strategy is used on entity load and determines how relations must be loaded when you query entities and their relations from the database.
Used on find* methods and QueryBuilder. Value can be set to join or query.
New locales (es-mx, bn-bd).
Minor bugfixes and locale improvements.
More tests.
Moment is in maintenance mode. Read more at this link:
https://momentjs.com/docs/#/-project-status/
Coerce numbers to strings when passed to semver.coerce()
Add rtl option to coerce from right to left
6.1.3
Handle X-ranges properly in includePrerelease mode
6.1.2
Do not throw when testing invalid version strings
6.1.1
Add options support for semver.coerce()
Handle undefined version passed to Range.test
6.1.0
Add semver.compareBuild function
Support * in semver.intersects
6.0
Fix intersects logic.
This is technically a bug fix, but since it is also a change to behavior
that may require users updating their code, it is marked as a major
version increment.
5.7
Add minVersion method
5.6
Move boolean loose param to an options object, with
backwards-compatibility protection.
Add ability to opt out of special prerelease version handling with
the includePrerelease option flag.
In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications
Micro-Learning Topic: Open redirect (Detected by phrase)
This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).
Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.
To trigger a single review, invoke the @coderabbitai review command.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)
- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)
- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)
- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips
### Chat
There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai):
- Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- `I pushed a fix in commit .`
- `Generate unit testing code for this file.`
- `Open a follow-up GitHub issue for this discussion.`
- Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples:
- `@coderabbitai generate unit testing code for this file.`
- `@coderabbitai modularize this function.`
- PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- `@coderabbitai generate interesting stats about this repository and render them as a table.`
- `@coderabbitai show all the console.log statements in this repository.`
- `@coderabbitai read src/utils.ts and generate unit testing code.`
- `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.`
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.
### CodeRabbit Commands (invoked as PR comments)
- `@coderabbitai pause` to pause the reviews on a PR.
- `@coderabbitai resume` to resume the paused reviews.
- `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository.
- `@coderabbitai resolve` resolve all the CodeRabbit review comments.
- `@coderabbitai help` to get help.
Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed.
### CodeRabbit Configration File (`.coderabbit.yaml`)
- You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository.
- Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information.
- If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json`
### Documentation and Community
- Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit.
- Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.
- Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
Bumps the npm_and_yarn group with 24 updates in the / directory:
4.17.154.17.210.10.10.14.04.1.14.3.14.17.14.19.20.2.260.3.02.16.03.13.02.3.82.3.92.24.02.29.46.3.06.3.17.6.27.24.14.0.44.2.33.0.43.1.80.2.00.2.21.0.71.1.21.9.01.15.60.11.40.11.86.2.36.2.40.8.30.8.53.3.03.3.11.0.41.0.51.0.11.0.30.7.200.7.371.4.71.5.105.2.25.2.3Updates
lodashfrom 4.17.15 to 4.17.21Commits
f299b52Bump to v4.17.21c4847ebImprove performance oftoNumber,trimandtrimEndon large input strings3469357Prevent command injection through_.template'svariableoptionded9bc6Bump to v4.17.20.63150efDocumentation fixes.00f0f62test.js: Remove trailing comma.846e434Temporarily use a custom fork oflodash-cli.5d046f3Re-enable Travis tests on4.17branch.aa816b3Remove/npm-package.d7fbc52Bump to v4.17.19Maintainer changes
This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.
Updates
class-validatorfrom 0.10.1 to 0.14.0Changelog
Sourced from class-validator's changelog.
... (truncated)
Commits
5f0d424merge: release 0.14.0 (#1841)e3d0708build: bump version to 0.14.0ad76890docs: add changelog for 0.14.09a775c5build(deps-dev): bump@types/nodefrom 18.11.11 to 18.11.12 (#1840)53bc9f6build(deps-dev): bump@typescript-eslint/eslint-plugin(#1837)d9b4072build(deps-dev): bump@typescript-eslint/parserfrom 5.45.1 to 5.46.0 (#1838)f993e9ebuild(deps-dev): bump typescript from 4.9.3 to 4.9.4 (#1835)ad1a41dbuild(deps-dev): bump@rollup/plugin-commonjsfrom 23.0.3 to 23.0.4 (#1836)42b4f7fbuild(deps-dev): bump prettier from 2.8.0 to 2.8.1 (#1834)0c986d4build(deps-dev): bump@types/nodefrom 18.11.10 to 18.11.11 (#1833)Maintainer changes
This version was pushed to npm by typestack-release-bot, a new releaser for class-validator since your current version.
Updates
debugfrom 4.1.1 to 4.3.1Release notes
Sourced from debug's releases.
Commits
0d3d66b4.3.1b6d12fdfix regression3f563134.3.0e2d3bc9add deprecation notice for debug.destroy()72e7f86fix memory leak within debug instance27152caadd test for enable/disable of existing instances22e13fefix quoted percent sign80ef62a4.2.009914afMarks supports-color as an optional peer dependencydb306dbUpdate and pin ms to 2.1.2Maintainer changes
This version was pushed to npm by qix, a new releaser for debug since your current version.
Updates
expressfrom 4.17.1 to 4.19.2Release notes
Sourced from express's releases.
... (truncated)
Changelog
Sourced from express's changelog.
... (truncated)
Commits
04bc6274.19.2da4d763Improved fix for open redirect allow list bypass4f0f6cc4.19.1a003cfaAllow passing non-strings to res.location with new encoding handling checks f...a1fa90ffixed un-edited version in history.md for 4.19.011f2b1dbuild: fix build due to inconsistent supertest behavior in older versions084e3654.19.00867302Prevent open redirect allow list bypass due to encodeurl567c9c6Add note on how to update docs for new release (#5541)69a4cf2deps: cookie@0.6.0Maintainer changes
This version was pushed to npm by wesleytodd, a new releaser for express since your current version.
Updates
typeormfrom 0.2.26 to 0.3.0Release notes
Sourced from typeorm's releases.
... (truncated)
Changelog
Sourced from typeorm's changelog.
... (truncated)
Commits
941b584version bump3b8a0310.3.0 (#8616)5608956refactor: remove spaces for consistency (#8751)486f8c5version bump0fc093dfix: discard duplicated columns on update (#8724)f3cfdd2fix: allow clearing database inside a transaction (#8712)96ac8f7feat: add transformer to ViewColumnOptions (#8717)32549ferefactor: DefaultNamingStrategy#getTableName should be protected, not private...411fa54fix: force web bundlers to ignore index.mjs and use the browser ESM version d...10f46d9fixing failing testUpdates
apollo-server-corefrom 2.16.0 to 3.13.0Commits
f93284eRelease4745ebeRename option from disableValidation to dangerouslyDisableValidation11f5981Add disableValidation option to apollo-server-coreea2e2c3Release1dd45b8get CI passingd38b43bMerge pull request from GHSA-j5g3-5c8r-7qfxfac578aRelease8554050Update protobuf (version-3) (#7412)6247d96Release538151bReleaseMaintainer changes
This version was pushed to npm by apollo-bot, a new releaser for apollo-server-core since your current version.
Updates
braft-editorfrom 2.3.8 to 2.3.9Commits
Maintainer changes
This version was pushed to npm by tenon-js, a new releaser for braft-editor since your current version.
Updates
momentfrom 2.24.0 to 2.29.4Changelog
Sourced from moment's changelog.
... (truncated)
Commits
000ac18Build 2.24.4f2006b6Bump version to 2.24.4536ad0cUpdate changelog for 2.29.49a3b589[bugfix] Fix redos in preprocessRFC2822 regex (#6015)6374fd8Merge branch 'master' into developb4e6153Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)"7aebb16[bugfix] Fix redos in preprocessRFC2822 regex (#6015)57c9062Build 2.29.3aaf50b6Fixup release complaints26f4aefBump version to 2.29.3Updates
semverfrom 6.3.0 to 6.3.1Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.
... (truncated)
Commits
44d27bcchore: release 6.3.1928e56dfix: better handling of whitespace (#591)39f6326chore:@npmcli/template-oss@4.16.0Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.
Updates
@babel/traversefrom 7.6.2 to 7.24.1Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
822b025v7.24.1Unable to locate .performanceTestingBot config file
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information
Processing PR updates...
Micro-Learning Topic: OS command injection (Detected by phrase)
Matched on "command injection"
What is this? (2min video)
In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
Try a challenge in Secure Code Warrior
Helpful references
Micro-Learning Topic: Open redirect (Detected by phrase)
Matched on "open redirect"
What is this? (2min video)
This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).
Try a challenge in Secure Code Warrior
Helpful references
Micro-Learning Topic: Server-side request forgery (Detected by phrase)
Matched on "ssRF"
What is this? (2min video)
Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.
Try a challenge in Secure Code Warrior
Thanks @dependabot[bot] for opening this PR!
For COLLABORATOR only :
To add labels, comment on the issue
/label add label1,label2,label3To remove labels, comment on the issue
/label remove label1,label2,label3Check out the playback for this Pull Request here.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)Tips
### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit