[Security] Bump sequelize from 6.28.1 to 6.29.0 (!74) · Merge requests · games / drraw

Dependabot requested to merge dependabot-npm_and_yarn-sequelize-6.29.0 into master Feb 24, 2023

Bumps sequelize from 6.28.1 to 6.29.0. This update includes a security fix.

Vulnerabilities fixed

Sequelize vulnerable to Improper Filtering of Special Elements Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.

Patched versions: none Affected versions: <= 6.28.2

Release notes

Sourced from sequelize's releases.

v6.29.0

6.29.0 (2023-02-23)

Features

throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)

v6.28.2

6.28.2 (2023-02-22)

Bug Fixes

accept undefined in where (#15703) (13f2e89)

Commits

d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578)...
53bd9b7 meta: fix null test getWhereConditions (#15705)
13f2e89 fix: accept undefined in where (#15703)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump sequelize from 6.28.1 to 6.29.0

v6.29.0

6.29.0 (2023-02-23)

Features

v6.28.2

6.28.2 (2023-02-22)

Bug Fixes

Merge request reports