This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.
If the user passed values such as
{
"firstName": "OR true; DROP TABLE users;",
"lastName": ":firstName"
}
Sequelize would first generate this query:
SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'
Then would inject replacements in it, which resulted in this:
SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''
As you can see this resulted in arbitrary user-provided SQL being executed.
Patches
The issue was fixed in Sequelize 6.19.1
Workarounds
Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.
Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.
This PR contains the following updates:
6.9.0
->6.29.0
GitHub Vulnerability Alerts
CVE-2023-25813
Impact
The SQL injection exploit is related to replacements. Here is such an example:
In the following query, some parameters are passed through replacements, and some are passed directly through the
where
option.This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the
where
option, then passed it over tosequelize.query
which parsed the resulting SQL to inject all:replacements
.If the user passed values such as
Sequelize would first generate this query:
Then would inject replacements in it, which resulted in this:
As you can see this resulted in arbitrary user-provided SQL being executed.
Patches
The issue was fixed in Sequelize 6.19.1
Workarounds
Do not use the
replacements
and thewhere
option in the same query if you are not using Sequelize >= 6.19.1References
See this thread for more information: https://github.com/sequelize/sequelize/issues/14519
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027
CVE-2023-22580
Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.
CVE-2023-22579
Impact
Providing an invalid value to the
where
option of a query caused Sequelize to ignore that option instead of throwing an error.A finder call like the following did not throw an error:
As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.
Patches
This issue has been patched in
sequelize@6.28.1
&@sequelize/core@7.0.0.alpha-20
References
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698
CVE: CVE-2023-22579 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
CVE-2023-22578
Impact
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
Produced
Patches
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in
@sequelize/core@7.0.0.alpha-20
andsequelize@6.29.0
.In Sequelize 7, it now produces the following:
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include
()
without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the
rawAttributes
property of your model first.A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578
Release Notes
sequelize/sequelize (sequelize)
### [`v6.29.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.29.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.28.2...v6.29.0) ##### Features - throw an error if attribute includes parentheses (fixes CVE-2023-22578) ([#15710](https://togithub.com/sequelize/sequelize/issues/15710)) ([d3f5b5a](https://togithub.com/sequelize/sequelize/commit/d3f5b5a65e297f4b6861e6a6ce335a9830b28781)) ### [`v6.28.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.28.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.28.1...v6.28.2) ##### Bug Fixes - accept undefined in where ([#15703](https://togithub.com/sequelize/sequelize/issues/15703)) ([13f2e89](https://togithub.com/sequelize/sequelize/commit/13f2e89f8b6147897e3e43f01487de51aebcde87)) ### [`v6.28.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.28.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.28.0...v6.28.1) ##### Bug Fixes - throw if where receives an invalid value ([#15699](https://togithub.com/sequelize/sequelize/issues/15699)) ([d9e0728](https://togithub.com/sequelize/sequelize/commit/d9e0728f2c2c5ae319f337c78091e1081440595d)) - update moment-timezone version ([#15685](https://togithub.com/sequelize/sequelize/issues/15685)) ([48d6193](https://togithub.com/sequelize/sequelize/commit/48d619379108320831c9c6a0ec42bfda6586fec5)) ### [`v6.28.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.28.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.27.0...v6.28.0) ##### Features - **types:** use retry-as-promised types for retry options to match documentation ([#15484](https://togithub.com/sequelize/sequelize/issues/15484)) ([fd4afa6](https://togithub.com/sequelize/sequelize/commit/fd4afa6a89c111c6d6d0c94f0b98bf421b5357b6)) ### [`v6.27.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.27.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.26.0...v6.27.0) ##### Features - add support for bigints (backport of [#14485](https://togithub.com/sequelize/sequelize/issues/14485)) ([#15413](https://togithub.com/sequelize/sequelize/issues/15413)) ([1247c01](https://togithub.com/sequelize/sequelize/commit/1247c01265743e4bdbd6d91a51cf64cd9d1e6617)) ### [`v6.26.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.26.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.8...v6.26.0) ##### Features - **postgres:** add support for lock_timeout \[[#15345](https://togithub.com/sequelize/sequelize/issues/15345)] ([#15355](https://togithub.com/sequelize/sequelize/issues/15355)) ([94beace](https://togithub.com/sequelize/sequelize/commit/94beace4ca666765ec9c84a3f7ef0e826e09699d)) ### [`v6.25.8`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.8) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.7...v6.25.8) ##### Bug Fixes - **oracle:** remove hardcoded maxRows value ([#15323](https://togithub.com/sequelize/sequelize/issues/15323)) ([7885000](https://togithub.com/sequelize/sequelize/commit/7885000a70eb451100fa8f54d45361887241521c)) ### [`v6.25.7`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.7) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.6...v6.25.7) ##### Bug Fixes - fix parameters not being replaced when after $$ strings ([#15307](https://togithub.com/sequelize/sequelize/issues/15307)) ([bc39fd6](https://togithub.com/sequelize/sequelize/commit/bc39fd69919e0af0cb0732ca9bfe3e60691c778a)) ### [`v6.25.6`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.6) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.5...v6.25.6) ##### Bug Fixes - **postgres:** invalidate connection after client-side timeout ([#15283](https://togithub.com/sequelize/sequelize/issues/15283)) ([a205765](https://togithub.com/sequelize/sequelize/commit/a20576527b84d4986372b25303b61536fae7479a)), closes [/github.com/brianc/node-postgres/blob/5538df6b446f4b4f921947b460fe38acb897e579/packages/pg/lib/client.js#L529](https://togithub.com//github.com/brianc/node-postgres/blob/5538df6b446f4b4f921947b460fe38acb897e579/packages/pg/lib/client.js/issues/L529) ### [`v6.25.5`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.5) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.4...v6.25.5) ##### Bug Fixes - remove options.model overwrite on bulkUpdate ([#15252](https://togithub.com/sequelize/sequelize/issues/15252)) ([67e69cd](https://togithub.com/sequelize/sequelize/commit/67e69cdb0e9d3dc16f61449cf0cf4f609c724719)), closes [#15231](https://togithub.com/sequelize/sequelize/issues/15231) ### [`v6.25.4`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.4) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.3...v6.25.4) ##### Bug Fixes - **types:** add instance.dataValues property to model.d.ts ([#15240](https://togithub.com/sequelize/sequelize/issues/15240)) ([00c6da3](https://togithub.com/sequelize/sequelize/commit/00c6da326630a85363b6d5e7d5570ac8ca8b31b8)) ### [`v6.25.3`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.3) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.2...v6.25.3) ##### Bug Fixes - don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix ([#15139](https://togithub.com/sequelize/sequelize/issues/15139)) ([7990095](https://togithub.com/sequelize/sequelize/commit/7990095e369b226844669ec691cc7bce94c3dbbe)), closes [#14700](https://togithub.com/sequelize/sequelize/issues/14700) ### [`v6.25.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.1...v6.25.2) ##### Bug Fixes - **types:** fix TS 4.9 excessive depth error on `InferAttributes` (v6) ([#15135](https://togithub.com/sequelize/sequelize/issues/15135)) ([851daaf](https://togithub.com/sequelize/sequelize/commit/851daafc73ff218f7de4455fe9f96eb896106210)) ### [`v6.25.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.25.0...v6.25.1) ##### Bug Fixes - **types:** expose legacy "types" folder in export alias ( [#15123](https://togithub.com/sequelize/sequelize/issues/15123)) ([9dd93b8](https://togithub.com/sequelize/sequelize/commit/9dd93b8461b0ff0452d7db998d0686c3ef176150)) ### [`v6.25.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.25.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.24.0...v6.25.0) ##### Features - **oracle:** add support for `dialectOptions.connectString` ([#15042](https://togithub.com/sequelize/sequelize/issues/15042)) ([06ad05d](https://togithub.com/sequelize/sequelize/commit/06ad05df260a745cf97bc8e7365c74aea57e5220)) ### [`v6.24.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.24.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.23.2...v6.24.0) ##### Features - **snowflake:** Add support for `QueryGenerator#tableExistsQuery` ([#15087](https://togithub.com/sequelize/sequelize/issues/15087)) ([a44772e](https://togithub.com/sequelize/sequelize/commit/a44772ec58175cfdc2cea84eb359966e48ed1c7b)) ### [`v6.23.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.23.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.23.1...v6.23.2) ##### Bug Fixes - **postgres:** add custom order direction to subQuery ordering with minified alias ([#15056](https://togithub.com/sequelize/sequelize/issues/15056)) ([7203b66](https://togithub.com/sequelize/sequelize/commit/7203b6626ed38c06f91f09f73571fb7df56fe348)) ### [`v6.23.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.23.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.23.0...v6.23.1) ##### Bug Fixes - **oracle:** add support for Oracle DB 18c CI ([#15016](https://togithub.com/sequelize/sequelize/issues/15016)) ([5f621d7](https://togithub.com/sequelize/sequelize/commit/5f621d72c1f265bb7659b54eb33469db8a4443fd)), closes [#1](https://togithub.com/sequelize/sequelize/issues/1) [#7](https://togithub.com/sequelize/sequelize/issues/7) [#9](https://togithub.com/sequelize/sequelize/issues/9) [#13](https://togithub.com/sequelize/sequelize/issues/13) [#14](https://togithub.com/sequelize/sequelize/issues/14) [#16](https://togithub.com/sequelize/sequelize/issues/16) ### [`v6.23.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.23.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.22.1...v6.23.0) ##### Features - **types:** add typescript 4.8 compatibility ([#14990](https://togithub.com/sequelize/sequelize/issues/14990)) ([3468378](https://togithub.com/sequelize/sequelize/commit/34683786d7ec832b179845188076ea2121ea78ff)) ### [`v6.22.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.22.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.22.0...v6.22.1) ##### Bug Fixes - **types:** missing type for oracle dialect in v6 ([#14992](https://togithub.com/sequelize/sequelize/issues/14992)) ([1da6657](https://togithub.com/sequelize/sequelize/commit/1da6657de18fc4918dc165f61aedf8888faa3704)), closes [#14991](https://togithub.com/sequelize/sequelize/issues/14991) ### [`v6.22.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.22.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.6...v6.22.0) ##### Features - **oracle:** add oracle dialect support ([#14638](https://togithub.com/sequelize/sequelize/issues/14638)) ([c230d80](https://togithub.com/sequelize/sequelize/commit/c230d80676450169d9cd74fe4cdf0da261de77b8)), closes [#1](https://togithub.com/sequelize/sequelize/issues/1) [#7](https://togithub.com/sequelize/sequelize/issues/7) [#9](https://togithub.com/sequelize/sequelize/issues/9) [#13](https://togithub.com/sequelize/sequelize/issues/13) [#14](https://togithub.com/sequelize/sequelize/issues/14) [#16](https://togithub.com/sequelize/sequelize/issues/16) ### [`v6.21.6`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.6) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.5...v6.21.6) ##### Bug Fixes - **types:** backport [#14704](https://togithub.com/sequelize/sequelize/issues/14704) for v6 ([#14964](https://togithub.com/sequelize/sequelize/issues/14964)) ([33d94b2](https://togithub.com/sequelize/sequelize/commit/33d94b223988d29bf1032ea2b589797664310839)) ### [`v6.21.5`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.5) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.4...v6.21.5) ##### Bug Fixes - **mariadb:** do not automatically parse JSON fields ([#14800](https://togithub.com/sequelize/sequelize/issues/14800)) ([d047f32](https://togithub.com/sequelize/sequelize/commit/d047f3275a451df73294f222c8a2c99ffdd22299)) ### [`v6.21.4`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.4) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.3...v6.21.4) ##### Bug Fixes - minified aliases are now properly referenced in subqueries (v6) ([#14852](https://togithub.com/sequelize/sequelize/issues/14852)) ([5a257bc](https://togithub.com/sequelize/sequelize/commit/5a257bc93c7e760f6b0158f55b3cb48878698450)), closes [#14804](https://togithub.com/sequelize/sequelize/issues/14804) ### [`v6.21.3`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.3) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.2...v6.21.3) ##### Bug Fixes - **postgres:** attach postgres error-handler earlier in lifecycle (v6) ([#14731](https://togithub.com/sequelize/sequelize/issues/14731)) ([90bb694](https://togithub.com/sequelize/sequelize/commit/90bb69485021344351732dcafe31cb67a54175f7)) ### [`v6.21.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.1...v6.21.2) ##### Bug Fixes - properly escape multiple `$` in `fn` args ([#14678](https://togithub.com/sequelize/sequelize/issues/14678)) ([7bb60e3](https://togithub.com/sequelize/sequelize/commit/7bb60e3531127da684cc1f75307410c53dfc9c8c)) ### [`v6.21.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.21.0...v6.21.1) ##### Bug Fixes - **postgres:** use schema set in sequelize config by default ([#14665](https://togithub.com/sequelize/sequelize/issues/14665)) ([2f3b924](https://togithub.com/sequelize/sequelize/commit/2f3b9247ad4ef74d1ec1027562eaafb6b1e9755f)) ### [`v6.21.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.21.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.20.1...v6.21.0) ##### Features - exports types to support typescript >= 4.5 nodenext module ([#14620](https://togithub.com/sequelize/sequelize/issues/14620)) ([cbdf73e](https://togithub.com/sequelize/sequelize/commit/cbdf73e9ee52ebebf92679b183ce95c760e914db)) ### [`v6.20.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.20.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.20.0...v6.20.1) ##### Bug Fixes - kill connection on commit/rollback error ([#14535](https://togithub.com/sequelize/sequelize/issues/14535)) ([e1a9c28](https://togithub.com/sequelize/sequelize/commit/e1a9c28375e3bdd11347835b2f796290638ad58a)) ### [`v6.20.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.20.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.19.2...v6.20.0) ##### Features - support cyclic foreign keys ([#14499](https://togithub.com/sequelize/sequelize/issues/14499)) ([b37df96](https://togithub.com/sequelize/sequelize/commit/b37df964333c39b9e19daa9a2c45c1d0bb475433)) ### [`v6.19.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.19.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.19.1...v6.19.2) ##### Bug Fixes - accept replacements in `ARRAY[]` & followed by `;` ([#14518](https://togithub.com/sequelize/sequelize/issues/14518)) ([e37c572](https://togithub.com/sequelize/sequelize/commit/e37c57255fbd77244be22dc57d0a86490597831a)) ### [`v6.19.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.19.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.19.0...v6.19.1) ##### Bug Fixes - do not replace `:replacements` inside of strings ([#14472](https://togithub.com/sequelize/sequelize/issues/14472)) ([ccaa399](https://togithub.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b)) ⚠️ BREAKING CHANGE: This change is a security fix that patches a serious SQL injection vulnerability, however it is possible that your application made use of it and broke as a result of this change. [Please see this issue for more information](https://togithub.com/sequelize/sequelize/issues/14519). ### [`v6.19.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.19.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.18.0...v6.19.0) ##### Bug Fixes - **types:** make `WhereOptions` more accurate ([#14368](https://togithub.com/sequelize/sequelize/issues/14368)) ([0d0aade](https://togithub.com/sequelize/sequelize/commit/0d0aadec98871d704743563585eacf87b3403517)) ##### Features - **types:** make `Model.init` aware of pre-configured foreign keys ([#14370](https://togithub.com/sequelize/sequelize/issues/14370)) ([5954d2c](https://togithub.com/sequelize/sequelize/commit/5954d2cae542f8e4bd3351bc9d55b6880bd751c3)) ### [`v6.18.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.18.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.17.0...v6.18.0) ##### Features - add whereScopeStrategy to merge where scopes with Op.and ([#14152](https://togithub.com/sequelize/sequelize/issues/14152)) ([8349c02](https://togithub.com/sequelize/sequelize/commit/8349c02c5130fc431adec265e3a3ad043571f1b9)) ### [`v6.17.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.17.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.16.3...v6.17.0) ##### Bug Fixes - fix typo in query-generator.js error message ([#14151](https://togithub.com/sequelize/sequelize/issues/14151)) ([2d339d0](https://togithub.com/sequelize/sequelize/commit/2d339d0799d224dca79037e8465cf48abef496a8)) - **postgres:** correctly re-acquire connection for pg-native ([#14090](https://togithub.com/sequelize/sequelize/issues/14090)) ([82506a6](https://togithub.com/sequelize/sequelize/commit/82506a68dbb33e4824ed6b8462cedf52d90d8cfc)) - **types:** drop excess argument for upsert ([#14156](https://togithub.com/sequelize/sequelize/issues/14156)) ([da8678d](https://togithub.com/sequelize/sequelize/commit/da8678dec6ee6b8e427701e88d7db6810e990f82)) - **types:** export `GroupedCountResultItem` interface ([#14154](https://togithub.com/sequelize/sequelize/issues/14154)) ([a81b7ab](https://togithub.com/sequelize/sequelize/commit/a81b7ab38da7fea07e00114e88711fbfed9f9a34)) - **types:** update 'replication' option property ([#14126](https://togithub.com/sequelize/sequelize/issues/14126)) ([7ac1221](https://togithub.com/sequelize/sequelize/commit/7ac122163f63ced2e24dac1d73e0be298f686187)) - **types:** update return type of `Model.update` ([#14155](https://togithub.com/sequelize/sequelize/issues/14155)) ([b80aeed](https://togithub.com/sequelize/sequelize/commit/b80aeed3c4eccc98da78927e91483ca41035dffe)) ##### Features - **types:** infer nullable creation attributes as optional ([#14147](https://togithub.com/sequelize/sequelize/issues/14147)) ([f5c06bd](https://togithub.com/sequelize/sequelize/commit/f5c06bd493670a37ba6d6ed039d44ccdf79b126e)) - **types:** make `Model.getAttributes` stricter ([#14017](https://togithub.com/sequelize/sequelize/issues/14017)) ([e974e20](https://togithub.com/sequelize/sequelize/commit/e974e202ca755a008f450c88123fc166a5497bb2)) ### [`v6.16.3`](https://togithub.com/sequelize/sequelize/releases/tag/v6.16.3) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.16.2...v6.16.3) ##### Bug Fixes - **types:** support union in CreationAttributes ([#14146](https://togithub.com/sequelize/sequelize/issues/14146)) ([d23bd7a](https://togithub.com/sequelize/sequelize/commit/d23bd7a7e2aac095f8b210f8d0e0f060c215475f)) ### [`v6.16.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.16.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.16.1...v6.16.2) ##### Bug Fixes - **types:** missing snowflake and db2 dialects ([#14137](https://togithub.com/sequelize/sequelize/issues/14137)) ([0326c2c](https://togithub.com/sequelize/sequelize/commit/0326c2caee201ee7288eb917cb3facd5aefd9b12)) ### [`v6.16.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.16.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.16.0...v6.16.1) ##### Bug Fixes - correct path to `package.json` in Sequelize.version ([#14073](https://togithub.com/sequelize/sequelize/issues/14073)) ([b95c213](https://togithub.com/sequelize/sequelize/commit/b95c213909ce084ffd98f9e98c9cf881841e27f1)) ### [`v6.16.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.16.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.15.1...v6.16.0) ##### Features - gen /lib & /types from /src & drop /dist (v6) ([#14063](https://togithub.com/sequelize/sequelize/issues/14063)) ([6b8fbb4](https://togithub.com/sequelize/sequelize/commit/6b8fbb48d0d12f2c500f69ce79f7f54386c32b40)) ### [`v6.15.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.15.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.15.0...v6.15.1) ##### Bug Fixes - **types:** accept `$nested.syntax$` in WhereAttributeHash ([#13983](https://togithub.com/sequelize/sequelize/issues/13983)) ([4a513cf](https://togithub.com/sequelize/sequelize/commit/4a513cfb8d0061fe47864fa70655649a4f1b60ac)) - **types:** correct typing definitions for `Sequelize.where` ([#14018](https://togithub.com/sequelize/sequelize/issues/14018)) ([99c612b](https://togithub.com/sequelize/sequelize/commit/99c612bf4ffe61da1564b482b1d3680172ddde34)) - **types:** improve branded types ([#13990](https://togithub.com/sequelize/sequelize/issues/13990)) ([a578ea0](https://togithub.com/sequelize/sequelize/commit/a578ea001e0d8f0eddae41badc6814a2a527d9a9)) ### [`v6.15.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.15.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.14.1...v6.15.0) ##### Bug Fixes - **types:** deduplicate error typings ([#14002](https://togithub.com/sequelize/sequelize/issues/14002)) ([fc28629](https://togithub.com/sequelize/sequelize/commit/fc2862905a2f34bd8dcbfe78fa66c20693be44b7)) ##### Features - add options.rawErrors to `Sequelize#query` method ([#13881](https://togithub.com/sequelize/sequelize/issues/13881)) ([7c58851](https://togithub.com/sequelize/sequelize/commit/7c588511a37af5a5ab8c483bffa39a4060122d37)) ### [`v6.14.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.14.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.14.0...v6.14.1) ##### Bug Fixes - rollback PR [#13951](https://togithub.com/sequelize/sequelize/issues/13951) in v6 ([#14004](https://togithub.com/sequelize/sequelize/issues/14004)) ([1882f3c](https://togithub.com/sequelize/sequelize/commit/1882f3cd9c42c245d486950b3a9cb18b761e1536)) ### [`v6.14.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.14.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.13.0...v6.14.0) ##### Bug Fixes - don't call overloaded versions of find functions internally ([#13951](https://togithub.com/sequelize/sequelize/issues/13951)) ([fc53cdb](https://togithub.com/sequelize/sequelize/commit/fc53cdbfbbf312d501c03f4268637795e43131d7)) - don't call overloaded versions of find functions internally ([#13951](https://togithub.com/sequelize/sequelize/issues/13951)) ([b253d8e](https://togithub.com/sequelize/sequelize/commit/b253d8ed63c91bc2c7143f07806554b5a5ac67eb)) - **model.d:** fix type for `count` and `findAndCountAll` ([#13786](https://togithub.com/sequelize/sequelize/issues/13786)) ([b06c1fc](https://togithub.com/sequelize/sequelize/commit/b06c1fc283cbd20af6031199ece075d8b10b0feb)) - **types:** add hooks to InstanceDestroyOptions type ([#13491](https://togithub.com/sequelize/sequelize/issues/13491)) ([dbd9ea8](https://togithub.com/sequelize/sequelize/commit/dbd9ea8690d6d2209cf0d000239e87f93d02cbb0)) - **types:** add missing fields to FindOr{Create,Build}Options ([#13389](https://togithub.com/sequelize/sequelize/issues/13389)) ([ef63f8f](https://togithub.com/sequelize/sequelize/commit/ef63f8f3900135f9d5d7869ee5a1f78dd4da0e76)) - **types:** fix QueryInterface#bulkInsert attribute arg type ([#13945](https://togithub.com/sequelize/sequelize/issues/13945)) ([9e108e3](https://togithub.com/sequelize/sequelize/commit/9e108e3417c56df1b19db322cc7b0168d9bb3b85)) ##### Features - **types:** add `InferAttributes` utility type ([#13909](https://togithub.com/sequelize/sequelize/issues/13909)) ([fd42687](https://togithub.com/sequelize/sequelize/commit/fd426876dca4d265f80147b6c2080e7400fa0129)) - **types:** add typings for DataTypes.TSVECTOR ([#13940](https://togithub.com/sequelize/sequelize/issues/13940)) ([b8f0463](https://togithub.com/sequelize/sequelize/commit/b8f0463c30cc9ccb9386692e9acd7afbb9de5bd9)) - **types:** drop TypeScript < 4.1 ([#13954](https://togithub.com/sequelize/sequelize/issues/13954)) ([dd49044](https://togithub.com/sequelize/sequelize/commit/dd49044bc7a1a0dace3e438881a32416fe68aaf6)) ### [`v6.13.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.13.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.12.5...v6.13.0) ##### Bug Fixes - fix typings for queries with {plain: true} option ([#13899](https://togithub.com/sequelize/sequelize/issues/13899)) ([308d017](https://togithub.com/sequelize/sequelize/commit/308d0171ec3b2fd7d329c978e7885e6cc23466d0)) ##### Features - **mariadb:** add mariadb support in Sequelize.set function ([#13926](https://togithub.com/sequelize/sequelize/issues/13926)) ([02bda05](https://togithub.com/sequelize/sequelize/commit/02bda05a0757773c0d71fa574e6217210adabecf)), closes [#13920](https://togithub.com/sequelize/sequelize/issues/13920) - **postgres:** drop indices concurrently in Postgres ([#13903](https://togithub.com/sequelize/sequelize/issues/13903)) ([37f20a6](https://togithub.com/sequelize/sequelize/commit/37f20a6028eecdd89a61c3db708506784105adfc)) ### [`v6.12.5`](https://togithub.com/sequelize/sequelize/releases/tag/v6.12.5) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.12.4...v6.12.5) ##### Bug Fixes - **dialect:** sequelize pool doesn't take effect in dialect "mssql" ([#13880](https://togithub.com/sequelize/sequelize/issues/13880)) ([fc155b6](https://togithub.com/sequelize/sequelize/commit/fc155b627448e09420b4d8308736b8d3a74e2935)) - **model:** fix count with grouping typing ([#13884](https://togithub.com/sequelize/sequelize/issues/13884)) ([49beb29](https://togithub.com/sequelize/sequelize/commit/49beb29ae757dde7b5eb531b0d857e39413ffb3b)), closes [#13871](https://togithub.com/sequelize/sequelize/issues/13871) - **types:** improve ModelCtor / ModelStatic typing ([#13890](https://togithub.com/sequelize/sequelize/issues/13890)) ([34aa808](https://togithub.com/sequelize/sequelize/commit/34aa808425371c9b7cdf43cfe8ec3141d33ade34)) - **types:** omit FK and scope keys in HasManyCreateAssociationMixin ([#13892](https://togithub.com/sequelize/sequelize/issues/13892)) ([b315ce8](https://togithub.com/sequelize/sequelize/commit/b315ce8b967c5f6cf55a4f774aaca60306087bfb)) ### [`v6.12.4`](https://togithub.com/sequelize/sequelize/releases/tag/v6.12.4) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.12.3...v6.12.4) ##### Bug Fixes - **mssql/async-queue:** fix unable to start mysql due to circular ref ([#13823](https://togithub.com/sequelize/sequelize/issues/13823)) ([49e8614](https://togithub.com/sequelize/sequelize/commit/49e861459ee88be334b3969f16d0e03582fd16f0)) ### [`v6.12.3`](https://togithub.com/sequelize/sequelize/releases/tag/v6.12.3) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.12.2...v6.12.3) ##### Bug Fixes - **data-types:** moment object throwing error ([#13818](https://togithub.com/sequelize/sequelize/issues/13818)) ([78c7414](https://togithub.com/sequelize/sequelize/commit/78c7414ab6bcbb1adec161c0e223f248edb15511)) ### [`v6.12.2`](https://togithub.com/sequelize/sequelize/releases/tag/v6.12.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.12.1...v6.12.2) ##### Bug Fixes - **abstract:** patch jsonb operator for pg if value is json ([#13780](https://togithub.com/sequelize/sequelize/issues/13780)) ([a2375c5](https://togithub.com/sequelize/sequelize/commit/a2375c5645dd89fb436707e95cc01b5c546eb7fc)) - **operators:** fix ts support for operators.ts ([#13805](https://togithub.com/sequelize/sequelize/issues/13805)) ([b532ab1](https://togithub.com/sequelize/sequelize/commit/b532ab1dbdda2bfdb586b4ba0765147e71a86ae1)) - **postgres:** allows usage of schema for ARRAY(ENUM) type name ([#13807](https://togithub.com/sequelize/sequelize/issues/13807)) ([da5b0ce](https://togithub.com/sequelize/sequelize/commit/da5b0ce2d35d0381b80e787f977a7aefb7cdca56)) - **query-interface:** bring back quoteIdentifier(s) to queryInterface ([#13810](https://togithub.com/sequelize/sequelize/issues/13810)) ([001dc60](https://togithub.com/sequelize/sequelize/commit/001dc6006d24a14817c8e7744baf5d1d40eab520)) ### [`v6.12.1`](https://togithub.com/sequelize/sequelize/releases/tag/v6.12.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.12.0...v6.12.1) ##### Bug Fixes - allow deep imports ([#13795](https://togithub.com/sequelize/sequelize/issues/13795)) ([1ecdaf9](https://togithub.com/sequelize/sequelize/commit/1ecdaf98308ae9b975ec3af7be209fd448043e6e)) - fix invalid ts import style of lib/operators ([#13797](https://togithub.com/sequelize/sequelize/issues/13797)) ([8acc14f](https://togithub.com/sequelize/sequelize/commit/8acc14f3c639b2667ad4f79d963a3f365b2897a5)) ### [`v6.12.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.12.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.11.0...v6.12.0) ##### Bug Fixes - **data-types:** unnecessary warning when getting data with DATE dataTypes ([#13712](https://togithub.com/sequelize/sequelize/issues/13712)) ([121884b](https://togithub.com/sequelize/sequelize/commit/121884b0d364e0be53e93bfd90d99b7e15449897)) - **docs:** add aws-lamda route ([#13693](https://togithub.com/sequelize/sequelize/issues/13693)) ([3059bce](https://togithub.com/sequelize/sequelize/commit/3059bce6003ca77b5e67cf7d6d673597b704db0e)) - **example:** fix coordinates format as per GeoJson ([#13718](https://togithub.com/sequelize/sequelize/issues/13718)) ([f9dec20](https://togithub.com/sequelize/sequelize/commit/f9dec20cd1c0f1ace931ca470f8787a7b4046a56)) - **increment:** fix key value broken query ([#12985](https://togithub.com/sequelize/sequelize/issues/12985)) ([fc0b19e](https://togithub.com/sequelize/sequelize/commit/fc0b19e3cf95f0c4d749c3bf871077228be64bba)) - **model.d:** fix findAndCountAll.count type ([#13736](https://togithub.com/sequelize/sequelize/issues/13736)) ([b7b472e](https://togithub.com/sequelize/sequelize/commit/b7b472e7a0a55ebd402f7bced3e330c3087bc75f)) - **snowflake:** fix to prevent disconnect attempt on already disconnected connection ([#13775](https://togithub.com/sequelize/sequelize/issues/13775)) ([2a9a551](https://togithub.com/sequelize/sequelize/commit/2a9a551609be94ee233516a1a9b4119892249d9c)) - **types:** add Col to where Ops ([#13717](https://togithub.com/sequelize/sequelize/issues/13717)) ([2d7b865](https://togithub.com/sequelize/sequelize/commit/2d7b8653a82f16eff4ee5a48d1fd6ec9ab785c76)) - **types:** add instance member declaration ([#13684](https://togithub.com/sequelize/sequelize/issues/13684)) ([ae3cde5](https://togithub.com/sequelize/sequelize/commit/ae3cde54b62f2bd41f35a002ba7ddf54946ca0ee)) - **types:** add missing schema field to sequelize options ([c7a0839](https://togithub.com/sequelize/sequelize/commit/c7a0839ffc2923e2881b8cc31a251709a929a022)), closes [#12606](https://togithub.com/sequelize/sequelize/issues/12606) - **types:** allow override json function with custom return type ([#13694](https://togithub.com/sequelize/sequelize/issues/13694)) ([2c3b384](https://togithub.com/sequelize/sequelize/commit/2c3b384cad6d9b6e1527f05560b12fc0338eca87)) - **upsert:** fall back to DO NOTHING if no update key values provided ([#13594](https://togithub.com/sequelize/sequelize/issues/13594)) ([4071378](https://togithub.com/sequelize/sequelize/commit/407137822a62897f7366980acd7eeceb443601b9)) - **upsert:** fall back to DO NOTHING if no update key values provided ([#13711](https://togithub.com/sequelize/sequelize/issues/13711)) ([f9dfaa7](https://togithub.com/sequelize/sequelize/commit/f9dfaa7c533acad4ae88fd16b47c3a5805fb6e9b)), closes [#13594](https://togithub.com/sequelize/sequelize/issues/13594) - wrong interface used within mixin ([#13685](https://togithub.com/sequelize/sequelize/issues/13685)) ([bd3ddf5](https://togithub.com/sequelize/sequelize/commit/bd3ddf5a93a17cb729aa160a89a3ee04c329c0ed)) ##### Features - **dialects:** add experimental support for db2 ([#13374](https://togithub.com/sequelize/sequelize/issues/13374)) ([4443d2a](https://togithub.com/sequelize/sequelize/commit/4443d2af14c78b21ff2a70f4aeb69bd9d3f8c2e2)) - **dialect:** snowflake dialect support ([#13406](https://togithub.com/sequelize/sequelize/issues/13406)) ([ad68a5e](https://togithub.com/sequelize/sequelize/commit/ad68a5e5f07d7800ece68290de4d15e33ac7579a)) - **model:** complete getAttributes feature ([b6510df](https://togithub.com/sequelize/sequelize/commit/b6510df2bdb5fb22c508c3f348e11cbaf7065fbc)) - **typescript:** create alpha release with ts ([911125e](https://togithub.com/sequelize/sequelize/commit/911125e4a8daf56cb4f6461fd1281a83f5373f0c)) - **types:** transition lib/errors ([#13710](https://togithub.com/sequelize/sequelize/issues/13710)) ([8cdce6a](https://togithub.com/sequelize/sequelize/commit/8cdce6aeb32b09e4bc1359250efcfacc6742501f)) - **upsert:** add conflictFields option ([#13723](https://togithub.com/sequelize/sequelize/issues/13723)) ([496bede](https://togithub.com/sequelize/sequelize/commit/496bede2f9e48cce6fe378a1c174a8a9154e2f7e)) ### [`v6.11.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.11.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.10.0...v6.11.0) ##### Features - option for attributes having dotNotation ([#13670](https://togithub.com/sequelize/sequelize/issues/13670)) ([41876f1](https://togithub.com/sequelize/sequelize/commit/41876f11a7ef2dec4f7788d8e39cf9864a9e83cd)) ### [`v6.10.0`](https://togithub.com/sequelize/sequelize/releases/tag/v6.10.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v6.9.0...v6.10.0) ##### Bug Fixes - typing on creation within an association ([#13678](https://togithub.com/sequelize/sequelize/issues/13678)) ([0312f8e](https://togithub.com/sequelize/sequelize/commit/0312f8eac982b646842f89f56dc90f6c8f935c84)) - **logger:** change logging depth from 3 to 1 ([#12879](https://togithub.com/sequelize/sequelize/issues/12879)) ([ddddc24](https://togithub.com/sequelize/sequelize/commit/ddddc244c2019a765ad889226584b8fb07ff50da)) - **mariadb:** fix MariaDB 10.5 JSON ([#13633](https://togithub.com/sequelize/sequelize/issues/13633)) ([cdd61dd](https://togithub.com/sequelize/sequelize/commit/cdd61ddbe83cbfe77dc04a32196dcc66e0052f51)) - **model:** clone options object instead of modifying ([#13589](https://togithub.com/sequelize/sequelize/issues/13589)) ([3be43de](https://togithub.com/sequelize/sequelize/commit/3be43deeb9a4e03cffb1d72ebc67a534a3c5dc19)) - **mssql:** fix sub query issue occurring with renamed primary key fields ([#12801](https://togithub.com/sequelize/sequelize/issues/12801)) ([73d99ab](https://togithub.com/sequelize/sequelize/commit/73d99ab45c069119478d8ef39ff9391181d5578f)) - **mssql:** sqlserver 2008 fix for using offsets and include criteria ([47c4494](https://togithub.com/sequelize/sequelize/commit/47c4494968422585bf265063925d1662ffcd4173)) - **query:** make stacktraces include original calling code ([#13347](https://togithub.com/sequelize/sequelize/issues/13347)) ([f581543](https://togithub.com/sequelize/sequelize/commit/f58154334d98038deafbecd017cf5719d1b13b7f)) - **types:** Add missing type definitions in models ([#13553](https://togithub.com/sequelize/sequelize/issues/13553)) ([73ecf6c](https://togithub.com/sequelize/sequelize/commit/73ecf6cf33628eca38973c0eeb5c798dbba177e9)) - **types:** add specifc tojson type in model.d.ts ([#13661](https://togithub.com/sequelize/sequelize/issues/13661)) ([5924be5](https://togithub.com/sequelize/sequelize/commit/5924be52152232fbd7a925d599c31cac9f90dc6d)) - **types:** DataType.TEXT overloading definition ([#13654](https://togithub.com/sequelize/sequelize/issues/13654)) ([1690801](https://togithub.com/sequelize/sequelize/commit/1690801cda2ca15f32aaaf5e9ebd96e800808e36)) - **types:** include 'paranoid' in IncludeThroughOptions definition ([#13625](https://togithub.com/sequelize/sequelize/issues/13625)) ([b1fb1f3](https://togithub.com/sequelize/sequelize/commit/b1fb1f32f7d66c013bbf015345a1076893ffd806)) - **types:** ne op documentation ([#13666](https://togithub.com/sequelize/sequelize/issues/13666)) ([98485df](https://togithub.com/sequelize/sequelize/commit/98485dfcff501c565dbf453a54868a4dfe60a225)) - **types:** rename types and update CONTRIBUTING docs ([#13348](https://togithub.com/sequelize/sequelize/issues/13348)) ([1f23924](https://togithub.com/sequelize/sequelize/commit/1f2392423212ca9a4604772c1d0a2f008606695e)) - expect result is null but got zero ([#13637](https://togithub.com/sequelize/sequelize/issues/13637)) ([da3ac09](https://togithub.com/sequelize/sequelize/commit/da3ac091032856f8a74297eff9a9d89e7fc997e5)) ##### Features - **definitions:** Adds AbstractQuery and before/afterQuery hook definitions ([#13635](https://togithub.com/sequelize/sequelize/issues/13635)) ([37a5858](https://togithub.com/sequelize/sequelize/commit/37a5858b1e635a28dee1da494f278753d489bbe8)) - **postgresql:** easier SSL config and options param support ([#13673](https://togithub.com/sequelize/sequelize/issues/13673)) ([9591573](https://togithub.com/sequelize/sequelize/commit/95915739443f96996841dacfd6861e9d5ba35c1b))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.