sorenrehkopf / custom-rick-roll

384 stars 64 forks source link

Bump sequelize from 3.35.1 to 5.15.1 #3

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps sequelize from 3.35.1 to 5.15.1.

Release notes

Sourced from sequelize's releases.

v5.15.1

5.15.1 (2019-08-18)

Security

  • sequelize.json.fn: use common path extraction for mysql/mariadb/sqlite (#11329) (9bd0bc1)

This fixes a security issue with sequelize.json() for MySQL. Old code was still used for formatting sub paths for json queries when used with sequelize.json() helper function

Example of attack vector

return User.findAll({
  where: sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});

Thanks to @Kirill89 from Snyk Security Research Team for reporting this issue.

v5.15.0

5.15.0 (2019-08-14)

Features

  • associations: source and target key support for belongs-to-many (#11311) (83e263b)

v5.14.0

5.14.0 (2019-08-13)

Features

v5.13.1

5.13.1 (2019-08-11)

Bug Fixes

v5.13.0

5.13.0 (2019-08-09)

Bug Fixes

Commits
  • 9bd0bc1 fix(sequelize.json.fn): use common path extraction for mysql/mariadb/sqlite (...
  • 83e263b feat(associations): source and target key support for belongs-to-many (#11311)
  • 4f09899 feat: support include option in bulkInsert (#11307)
  • de06ac3 docs(security): grammar mistakes
  • 29eb1c8 docs(security): add responsible disclosure policy (#11300)
  • 592099d fix(count): fix null count with includes (#11295)
  • 80d3625 docs(query-interface): fix typo with remove-column parameter (#11294)
  • a39c63a fix(types): return a usable type when using the sequelize.models lookup (#11293)
  • 98a4089 fix(types): use correct this value in getterMethods and setterMethods (#11292)
  • dd428a0 refactor(association): name model that association is missing from (#11290)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/sorenrehkopf/custom-rick-roll/network/alerts).
dependabot[bot] commented 4 years ago

Looks like sequelize is no longer updatable, so this is no longer needed.