Skip to content

[Security] Bump sequelize from 6.28.2 to 6.29.0

Dependabot requested to merge dependabot-npm_and_yarn-sequelize-6.29.0 into master

Bumps sequelize from 6.28.2 to 6.29.0. This update includes a security fix.

Vulnerabilities fixed

Sequelize vulnerable to Improper Filtering of Special Elements Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.

Patched versions: none Affected versions: <= 6.28.2

Release notes

Sourced from sequelize's releases.

v6.29.0

6.29.0 (2023-02-23)

Features

  • throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)
Commits
  • d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578)...
  • 53bd9b7 meta: fix null test getWhereConditions (#15705)
  • See full diff in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading