🚨 [security] Upgrade sequelize: 5.5.0 → 5.21.1 (minor)

[depfu[bot]]

---

🚨 Your version of sequelize has known security vulnerabilities 🚨

Advisory: CVE-2019-10752 Disclosed: October 25, 2019 URL: https://nvd.nist.gov/vuln/detail/CVE-2019-10752

High severity vulnerability that affects sequelize

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ sequelize (5.5.0 → 5.21.1) · Repo

Release Notes

5.21.1

5.21.1 (2019-10-19)

Bug Fixes

• associations: allow binary key for belongs-to-many (#11581) (2083c9a)

5.21.0

5.21.0 (2019-10-18)

Bug Fixes

• postgres: update upsert regex to match the last RETURNING * (#11538) (2b9baa2)

Features

• mariadb: support indexHints on mariadb dialect (#11573) (a34399f)

5.20.0

5.20.0 (2019-10-18)

Features

• model: add options.include[].right option (#11537) (2949a63)

5.19.8

5.19.8 (2019-10-17)

Bug Fixes

• types: add array of Buffers to WhereValue type (#11559) (3517eb7)

5.19.7

5.19.7 (2019-10-16)

Bug Fixes

• types: add Buffer to WhereValue type (#11499) (c3c767e)

5.19.6

5.19.6 (2019-10-11)

Bug Fixes

• mysql/maridb: set isolation level for transaction not entire session (#11476) (bd59b87)

5.19.5

5.19.5 (2019-10-09)

Bug Fixes

• types: allow string and number arrays for contains operator (#11520) (93e8075)
• typings: add hasMany create method (#11512) (fafe375)

5.19.4

5.19.4 (2019-10-07)

Bug Fixes

• bulkupdate: pass correct type in options (#11515) (3c8ca77)

5.19.3

5.19.3 (2019-10-05)

Bug Fixes

• sequelize.col: associations (#11419) (1fe2401)

5.19.2

5.19.2 (2019-10-01)

Bug Fixes

• mysql/showAllTables: list tables from current database (#11456) (c7138f5)
• query: do not omit field when same field/name in fieldMap (#11492) (7a90df5)

5.19.1

5.19.1 (2019-09-27)

Bug Fixes

• types: Model.primaryKeyAttributes (#11406) (22d874c)
• sequelize.where col not null (#11447) (#11454) (fd08023)

5.19.0

5.19.0 (2019-09-19)

Bug Fixes

• bulkCreate: use correct primary key column name for updateOnDuplicate (#11434) (3a60069)
• showTablesQuery: ignore views for mssql/mysql (#11439) (8b53f72)

Features

• logging: print bind parameters in logs with logQueryParameters option (#11267) (992ddf7)

5.18.4

5.18.4 (2019-09-08)

Bug Fixes

• unknown column with subquery joins (#11404) (d5e4a10)

5.18.3

5.18.3 (2019-09-08)

Bug Fixes

• postgres: escape enum values (#11402) (2172333)

5.18.2

5.18.2 (2019-09-07)

Bug Fixes

• postgres: syncing indexes with schema (#11399) (1bd8ae1)

5.18.1

5.18.1 (2019-09-03)

Bug Fixes

• types: add PoolOptions.evict (#11378) (#11379) (555dbe1)

5.18.0

5.18.0 (2019-08-31)

Bug Fixes

• postgres: use proper schema for index and relations (#11274) (4816005)

Features

• postgres: minify aliases option (#11095) (3fcb2d2)

5.17.2

5.17.2 (2019-08-30)

Bug Fixes

• types: change raw query return type to [unknown[],unknown] (#11368) (d5667e0)

5.17.1

5.17.1 (2019-08-29)

Bug Fixes

• types: support error with rejectOnEmpty (#11359) (398ae59)

5.17.0

5.17.0 (2019-08-28)

Features

• sqlite: support updateOnDuplicate option with bulkCreate (#11360) (5860ef5)

5.16.0

5.16.0 (2019-08-22)

Features

• database-error: add parameters property (#11343) (218f8cd)

5.15.2

5.15.2 (2019-08-21)

Bug Fixes

• query-generator: handle virtual column on associations with scopes (#11327) (b72e3bb)

5.15.1

5.15.1 (2019-08-18)

Security

• sequelize.json.fn: use common path extraction for mysql/mariadb/sqlite (#11329) (9bd0bc1)

This fixes a security issue with sequelize.json() for MySQL. Old code was still used for formatting sub paths for json queries when used with sequelize.json() helper function

Example of attack vector

return User.findAll({
  where: sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});

Thanks to @Kirill89 from Snyk Security Research Team for reporting this issue.

5.15.0

5.15.0 (2019-08-14)

Features

• associations: source and target key support for belongs-to-many (#11311) (83e263b)

5.14.0

5.14.0 (2019-08-13)

Features

• support include option in bulkInsert (#11307) (4f09899)

5.13.1

5.13.1 (2019-08-11)

Bug Fixes

• count: fix null count with includes (#11295) (592099d)

5.13.0

5.13.0 (2019-08-09)

Bug Fixes

• types: return a usable type when using the sequelize.models lookup (#11293) (a39c63a)
• types: use correct this value in getterMethods and setterMethods (#11292) (98a4089)

Features

• postgres: add function variables for postgres (#11277) (ff97d93)

Performance Improvements

• remove unnecessary cloneDeep calls (#11281) (72d813b)

5.12.3

5.12.3 (2019-08-04)

Bug Fixes

• postgres: improve ensureEnums to support out of order enum values (#11249) (bc8c7b9)

5.12.2

5.12.2 (2019-07-31)

Bug Fixes

• model: destroying paranoid models with custom deletedAt (#11255) (d041e77)

5.12.1

5.12.1 (2019-07-30)

Bug Fixes

• mssql: save number bigger than 2147483647 as bigint (#11252) (c32ac01)

5.12.0

5.12.0 (2019-07-30)

Features

• postgres: support returning attributes with bulkCreate (#11170) (d2f3383)

5.11.0

5.11.0 (2019-07-27)

Bug Fixes

• search_path: disable bindParam in updateQuery (#11236) (ff93d7c)

Features

• postgres: support autoIncrementIdentity (#11235) (35be8e0)
• postgres: support updateOnDuplicate option with bulkCreate (#11163) (47489ab)

5.10.3

5.10.3 (2019-07-25)

Bug Fixes

• sqlite: don't break when adding second constraint to a table (#11067) (7bf1b71)

5.10.2

5.10.2 (2019-07-23)

Bug Fixes

• describetable: support string length for char in mssql (#11212) (1cffab7)

5.10.1

5.10.1 (2019-07-14)

Bug Fixes

• types: text length is string constant (#11098) (6e0b137)

5.10.0

5.10.0 (2019-07-11)

Features

• query-interface: add force option to createFunction (#11172) (56208b2)

5.9.5

5.9.5 (2019-07-11)

Bug Fixes

• mysql/mariadb: treat deadlocked transactions as rollback (#11074) (003aabc)

5.9.4

5.9.4 (2019-07-06)

Bug Fixes

• model: don't alter original scopes when combining them (#10722) (f2b0aec)
• types: add literal to possible where options (#10990) (b6d6787)
• types: relax order typing (#10802) (75b95dc)

5.9.3

5.9.3 (2019-07-05)

Bug Fixes

• types: add string to Includeable (#11003) (ff3c225)

5.9.2

5.9.2 (2019-07-02)

Bug Fixes

• types: silent option for update (#11115) (7ac8f02)

5.9.1

5.9.1 (2019-07-02)

Bug Fixes

• update sequelize-pool (#11134) (3a914f0)

5.9.0

5.9.0 (2019-06-28)

Features

• hooks: beforeDisconnect / afterDisconnect (#11117) (7a6cc32)
• performance: remove last usage of lodash template string in INSERT query generation (#11122) (d7c3c7df)

5.8.12

5.8.12 (2019-06-22)

Bug Fixes

• sequelize.close: update sequelize-pool (#11101) (c6a0d8d)

5.8.11

5.8.11 (2019-06-21)

Security Fixes

• mariadb/mysql: properly escape json path key (#11089) (a72a3f5)

This release fixes a SQL injection issue with MySQL/MariaDB dialect. JSON path keys were not properly escaped for these dialects. We advise all v5 users to update to latest release.

Thanks to @Kirill89 from Snyk Security Research Team for reporting this issue.

5.8.10

5.8.10 (2019-06-17)

Bug Fixes

• types: add missing findCreateFind type (#11068) (cd8ee56)

5.8.9

5.8.9 (2019-06-11)

Bug Fixes

• types: add null to afterFind hook (#11051) (1d7f209)
• update sequelize-pool (#11055) (dcf079b)

5.8.8

5.8.8 (2019-06-10)

Bug Fixes

• types: update IndexHint.value to IndexHint.values (#11008) (#11015) (68fcd99)

5.8.7

5.8.7 (2019-05-29)

Bug Fixes

• types: add beforeSave and afterSave typings (#10987) (0569f42)
• correct grammar (#10981) (41985c5)
• types: add missing alter option (#10939) (30c5ca5)
• types: add missing types to SyncOptions (#10948) (2f7b32b)

5.8.6

5.8.6 (2019-05-12)

Bug Fixes

• types: add poolable to count options (#10938) (b3d2849)

5.8.5

5.8.5 (2019-05-05)

Bug Fixes

• ci: flaky tests and dead code (5f9d590)

5.8.4

5.8.4 (2019-05-03)

Bug Fixes

• typings: use correct set of allowed options for addIndex (#10885) (8662fc8)

5.8.3

5.8.3 (2019-05-03)

Bug Fixes

• querying: treat having the same as where when using scopes (#10884) (15354c7)

5.8.2

5.8.2 (2019-05-01)

Bug Fixes

• querying: prevent having clause from cascading (#10859) (1b8c389)
• sync: handle alter correctly with underscored/aliased columns (#10872) (4de34c5)
• types: add dialectModule types (#10863) (48eafaa)
• types: add duplicating option (#10871) (42927d3)
• types: add Model#addScope overload (5767fba)
• types: add random function to sequelize (dc41875)

5.8.1

5.8.1 (2019-04-30)

Bug Fixes

• types: add validate option to CreateOptions (bf4700b)

5.8.0

5.8.0 (2019-04-29)

Bug Fixes

• associations: check presence of multi-joined instances (#10853) (32be061)

Features

• typings: add some missing operators (#10846) (ba5192c)

5.7.6

5.7.6 (2019-04-26)

Bug Fixes

• typings: types for addIndex (#10844) (5412ade)

5.7.5

5.7.5 (2019-04-24)

Bug Fixes

• model: make aggregate merge attributes rather than override (#10662) (379b56c), closes /github.com/sequelize/sequelize/commit/88a340dacec0b1b27d4f67866e2b416482ce7b85#diff-a140b60b6a99a8c69f4b5d0d1f1f2bfaR1964
• types: reorder model.get overload (#10797) (8d1972f)

5.7.4

5.7.4 (2019-04-22)

Bug Fixes

• redshift: allow standard_conforming_strings option (#10816) (2bb6098)

5.7.3

5.7.3 (2019-04-22)

Bug Fixes

• types: add index hints (#10815) (99f396c)
• types: adding upsert with returning: true (#10800) (030e0fa)

5.7.2

5.7.2 (2019-04-22)

Bug Fixes

• types: add Paranoid to Includeable (#10804) (2c06293)

5.7.1

5.7.1 (2019-04-20)

Bug Fixes

• types: add using & operator index interface (#10813) (3926991)
• types: scope typing (#10803) (032d996)

5.7.0

5.7.0 (2019-04-18)

Bug Fixes

• instance: isSoftDelete true after creating (#10799) (c44c72a)
• mssql: describeTable for VARCHAR(MAX) (#10795) (d1645f2)

Features

• types: adding Literal type to Operators (#10796) (e3d6795)

5.6.1

5.6.1 (2019-04-17)

Bug Fixes

• model: handle virtual attributes in includes (#10785) (4cc7dc8)

5.6.0

5.6.0 (2019-04-16)

Features

• mysql: indexHints support (#10756) (720f7ec)

5.5.1

5.5.1 (2019-04-16)

Bug Fixes

• typings: add OptimisticLockError type (#10777) (f4a46dc)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

Coverage decreased (-50.4%) to 40.278% when pulling 55f8e2d167cadf45c72df6b82a406d8c571487d9 on depfu/update/yarn/sequelize-5.21.1 into 4f4cb0318de9d9c92f018fca59d7cbd924fd04de on master.