[Security] Bump sequelize from 6.28.2 to 6.29.0 (!78) · Merge requests · tools / chat

Dependabot requested to merge dependabot-npm_and_yarn-sequelize-6.29.0 into master Feb 24, 2023

Bumps sequelize from 6.28.2 to 6.29.0. This update includes a security fix.

Vulnerabilities fixed

Sequelize vulnerable to Improper Filtering of Special Elements Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.

Patched versions: none Affected versions: <= 6.28.2

Release notes

Sourced from sequelize's releases.

v6.29.0

6.29.0 (2023-02-23)

Features

throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)

Commits

d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578)...
53bd9b7 meta: fix null test getWhereConditions (#15705)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump sequelize from 6.28.2 to 6.29.0

v6.29.0

6.29.0 (2023-02-23)

Features

Merge request reports