Release notes
*Sourced from [sequelize's releases](https://github.com/sequelize/sequelize/releases).*
> ## v5.15.1
> ## [5.15.1](https://github.com/sequelize/sequelize/compare/v5.15.0...v5.15.1) (2019-08-18)
>
>
> ### Security
>
> * **sequelize.json.fn:** use common path extraction for mysql/mariadb/sqlite ([#11329](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11329)) ([9bd0bc1](https://github.com/sequelize/sequelize/commit/9bd0bc1))
>
> This fixes a security issue with `sequelize.json()` for MySQL. Old code was still used for formatting sub paths for json queries when used with `sequelize.json()` helper function
>
> Example of attack vector
>
> ```js
> return User.findAll({
> where: sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
> });
> ```
>
> Thanks to [@Kirill89](https://github.com/Kirill89) from Snyk Security Research Team for reporting this issue.
>
> ## v5.15.0
> # [5.15.0](https://github.com/sequelize/sequelize/compare/v5.14.0...v5.15.0) (2019-08-14)
>
>
> ### Features
>
> * **associations:** source and target key support for belongs-to-many ([#11311](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11311)) ([83e263b](https://github.com/sequelize/sequelize/commit/83e263b))
>
> ## v5.14.0
> # [5.14.0](https://github.com/sequelize/sequelize/compare/v5.13.1...v5.14.0) (2019-08-13)
>
>
> ### Features
>
> * support include option in bulkInsert ([#11307](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11307)) ([4f09899](https://github.com/sequelize/sequelize/commit/4f09899))
>
> ## v5.13.1
> ## [5.13.1](https://github.com/sequelize/sequelize/compare/v5.13.0...v5.13.1) (2019-08-11)
>
>
> ### Bug Fixes
>
> * **count:** fix null count with includes ([#11295](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11295)) ([592099d](https://github.com/sequelize/sequelize/commit/592099d))
>
> ## v5.13.0
> # [5.13.0](https://github.com/sequelize/sequelize/compare/v5.12.3...v5.13.0) (2019-08-09)
>
>
> ### Bug Fixes
>
> ... (truncated)
Commits
- [`9bd0bc1`](https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e) fix(sequelize.json.fn): use common path extraction for mysql/mariadb/sqlite (...
- [`83e263b`](https://github.com/sequelize/sequelize/commit/83e263bd4f97860e37cfd8c4a69995a3901b9264) feat(associations): source and target key support for belongs-to-many ([#11311](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11311))
- [`4f09899`](https://github.com/sequelize/sequelize/commit/4f0989987730b61d2a992653819bc63aaefd94a8) feat: support include option in bulkInsert ([#11307](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11307))
- [`de06ac3`](https://github.com/sequelize/sequelize/commit/de06ac3fd714f7c7eeb10db5774724007928f0c1) docs(security): grammar mistakes
- [`29eb1c8`](https://github.com/sequelize/sequelize/commit/29eb1c85ad00201e8b036ab492b7d418fa706606) docs(security): add responsible disclosure policy ([#11300](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11300))
- [`592099d`](https://github.com/sequelize/sequelize/commit/592099dd7b5078bdc6deccbdd19be0e02f38cfd6) fix(count): fix null count with includes ([#11295](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11295))
- [`80d3625`](https://github.com/sequelize/sequelize/commit/80d362578c94da6c961f2d08e32df19cdecec3f7) docs(query-interface): fix typo with remove-column parameter ([#11294](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11294))
- [`a39c63a`](https://github.com/sequelize/sequelize/commit/a39c63a44201e13a44a75e6acd7ba3b08d7643d7) fix(types): return a usable type when using the sequelize.models lookup ([#11293](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11293))
- [`98a4089`](https://github.com/sequelize/sequelize/commit/98a40891effb8ae8d76ad1c091414e906f38cca9) fix(types): use correct `this` value in getterMethods and setterMethods ([#11292](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11292))
- [`dd428a0`](https://github.com/sequelize/sequelize/commit/dd428a06d32a39273b3cfb018214f7cfa372e4ac) refactor(association): name model that association is missing from ([#11290](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11290))
- Additional commits viewable in [compare view](https://github.com/sequelize/sequelize/compare/v4.38.0...v5.15.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/datarightsfinder/website/network/alerts).
Bumps sequelize from 4.38.0 to 5.15.1.
Release notes
*Sourced from [sequelize's releases](https://github.com/sequelize/sequelize/releases).* > ## v5.15.1 > ## [5.15.1](https://github.com/sequelize/sequelize/compare/v5.15.0...v5.15.1) (2019-08-18) > > > ### Security > > * **sequelize.json.fn:** use common path extraction for mysql/mariadb/sqlite ([#11329](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11329)) ([9bd0bc1](https://github.com/sequelize/sequelize/commit/9bd0bc1)) > > This fixes a security issue with `sequelize.json()` for MySQL. Old code was still used for formatting sub paths for json queries when used with `sequelize.json()` helper function > > Example of attack vector > > ```js > return User.findAll({ > where: sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1) > }); > ``` > > Thanks to [@Kirill89](https://github.com/Kirill89) from Snyk Security Research Team for reporting this issue. > > ## v5.15.0 > # [5.15.0](https://github.com/sequelize/sequelize/compare/v5.14.0...v5.15.0) (2019-08-14) > > > ### Features > > * **associations:** source and target key support for belongs-to-many ([#11311](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11311)) ([83e263b](https://github.com/sequelize/sequelize/commit/83e263b)) > > ## v5.14.0 > # [5.14.0](https://github.com/sequelize/sequelize/compare/v5.13.1...v5.14.0) (2019-08-13) > > > ### Features > > * support include option in bulkInsert ([#11307](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11307)) ([4f09899](https://github.com/sequelize/sequelize/commit/4f09899)) > > ## v5.13.1 > ## [5.13.1](https://github.com/sequelize/sequelize/compare/v5.13.0...v5.13.1) (2019-08-11) > > > ### Bug Fixes > > * **count:** fix null count with includes ([#11295](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11295)) ([592099d](https://github.com/sequelize/sequelize/commit/592099d)) > > ## v5.13.0 > # [5.13.0](https://github.com/sequelize/sequelize/compare/v5.12.3...v5.13.0) (2019-08-09) > > > ### Bug Fixes > > ... (truncated)Commits
- [`9bd0bc1`](https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e) fix(sequelize.json.fn): use common path extraction for mysql/mariadb/sqlite (... - [`83e263b`](https://github.com/sequelize/sequelize/commit/83e263bd4f97860e37cfd8c4a69995a3901b9264) feat(associations): source and target key support for belongs-to-many ([#11311](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11311)) - [`4f09899`](https://github.com/sequelize/sequelize/commit/4f0989987730b61d2a992653819bc63aaefd94a8) feat: support include option in bulkInsert ([#11307](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11307)) - [`de06ac3`](https://github.com/sequelize/sequelize/commit/de06ac3fd714f7c7eeb10db5774724007928f0c1) docs(security): grammar mistakes - [`29eb1c8`](https://github.com/sequelize/sequelize/commit/29eb1c85ad00201e8b036ab492b7d418fa706606) docs(security): add responsible disclosure policy ([#11300](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11300)) - [`592099d`](https://github.com/sequelize/sequelize/commit/592099dd7b5078bdc6deccbdd19be0e02f38cfd6) fix(count): fix null count with includes ([#11295](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11295)) - [`80d3625`](https://github.com/sequelize/sequelize/commit/80d362578c94da6c961f2d08e32df19cdecec3f7) docs(query-interface): fix typo with remove-column parameter ([#11294](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11294)) - [`a39c63a`](https://github.com/sequelize/sequelize/commit/a39c63a44201e13a44a75e6acd7ba3b08d7643d7) fix(types): return a usable type when using the sequelize.models lookup ([#11293](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11293)) - [`98a4089`](https://github.com/sequelize/sequelize/commit/98a40891effb8ae8d76ad1c091414e906f38cca9) fix(types): use correct `this` value in getterMethods and setterMethods ([#11292](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11292)) - [`dd428a0`](https://github.com/sequelize/sequelize/commit/dd428a06d32a39273b3cfb018214f7cfa372e4ac) refactor(association): name model that association is missing from ([#11290](https://github-redirect.dependabot.com/sequelize/sequelize/issues/11290)) - Additional commits viewable in [compare view](https://github.com/sequelize/sequelize/compare/v4.38.0...v5.15.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/datarightsfinder/website/network/alerts).