Update dependency sequelize to v5.15.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
sequelize (source)	dependencies	minor	5.8.5 -> 5.15.1

GitHub Vulnerability Alerts

CVE-2019-10752

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

---

Release Notes

sequelize/sequelize

v5.15.1

Compare Source

Security

• sequelize.json.fn: use common path extraction for mysql/mariadb/sqlite (#​11329) (9bd0bc1)

This fixes a security issue with sequelize.json() for MySQL. Old code was still used for formatting sub paths for json queries when used with sequelize.json() helper function

Example of attack vector

return User.findAll({
  where: sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});

Thanks to @​Kirill89 from Snyk Security Research Team for reporting this issue.

v5.15.0

Compare Source

Features

• associations: source and target key support for belongs-to-many (#​11311) (83e263b)

v5.14.0

Compare Source

Features

• support include option in bulkInsert (#​11307) (4f09899)

v5.13.1

Compare Source

Bug Fixes

• count: fix null count with includes (#​11295) (592099d)

v5.13.0

Compare Source

Bug Fixes

• types: return a usable type when using the sequelize.models lookup (#​11293) (a39c63a)
• types: use correct this value in getterMethods and setterMethods (#​11292) (98a4089)

Features

• postgres: add function variables for postgres (#​11277) (ff97d93)

Performance Improvements

• remove unnecessary cloneDeep calls (#​11281) (72d813b)

v5.12.3

Compare Source

Bug Fixes

• postgres: improve ensureEnums to support out of order enum values (#​11249) (bc8c7b9)

v5.12.2

Compare Source

Bug Fixes

• model: destroying paranoid models with custom deletedAt (#​11255) (d041e77)

v5.12.1

Compare Source

Bug Fixes

• mssql: save number bigger than 2147483 as bigint (#​11252) (c32ac01)

v5.12.0

Compare Source

Features

• postgres: support returning attributes with bulkCreate (#​11170) (d2f3383)

v5.11.0

Compare Source

Bug Fixes

• search_path: disable bindParam in updateQuery (#​11236) (ff93d7c)

Features

• postgres: support autoIncrementIdentity (#​11235) (35be8e0)
• postgres: support updateOnDuplicate option with bulkCreate (#​11163) (47489ab)

v5.10.3

Compare Source

Bug Fixes

• sqlite: don't break when adding second constraint to a table (#​11067) (7bf1b71)

v5.10.2

Compare Source

Bug Fixes

• describetable: support string length for char in mssql (#​11212) (1cffab7)

v5.10.1

Compare Source

Bug Fixes

• types: text length is string constant (#​11098) (6e0b137)

v5.10.0

Compare Source

Features

• query-interface: add force option to createFunction (#​11172) (56208b2)

v5.9.5

Compare Source

Bug Fixes

• mysql/mariadb: treat deadlocked transactions as rollback (#​11074) (003aabc)

v5.9.4

Compare Source

Bug Fixes

• model: don't alter original scopes when combining them (#​10722) (f2b0aec)
• types: add literal to possible where options (#​10990) (b6d6787)
• types: relax order typing (#​10802) (75b95dc)

v5.9.3

Compare Source

Bug Fixes

• types: add string to Includeable (#​11003) (ff3c225)

v5.9.2

Compare Source

Bug Fixes

• types: silent option for update (#​11115) (7ac8f02)

v5.9.1

Compare Source

Bug Fixes

• update sequelize-pool (#​11134) (3a914f0)

v5.9.0

Compare Source

Features

• hooks: beforeDisconnect / afterDisconnect (#​11117) (7a6cc32)
• performance: remove last usage of lodash template string in INSERT query generation (#​11122) (d7c3c7df)

v5.8.12

Compare Source

Bug Fixes

• sequelize.close: update sequelize-pool (#​11101) (c6a0d8d)

v5.8.11

Compare Source

Security Fixes

• mariadb/mysql: properly escape json path key (#​11089) (a72a3f5)

This release fixes a SQL injection issue with MySQL/MariaDB dialect. JSON path keys were not properly escaped for these dialects. We advise all v5 users to update to latest release.

Thanks to @​Kirill89 from Snyk Security Research Team for reporting this issue.

v5.8.10

Compare Source

Bug Fixes

• types: add missing findCreateFind type (#​11068) (cd8ee56)

v5.8.9

Compare Source

Bug Fixes

• types: add null to afterFind hook (#​11051) (1d7f209)
• update sequelize-pool (#​11055) (dcf079b)

v5.8.8

Compare Source

Bug Fixes

• types: update IndexHint.value to IndexHint.values (#​11008) (#​11015) (68fcd99)

v5.8.7

Compare Source

Bug Fixes

• types: add beforeSave and afterSave typings (#​10987) (0569f42)
• correct grammar (#​10981) (41985c5)
• types: add missing alter option (#​10939) (30c5ca5)
• types: add missing types to SyncOptions (#​10948) (2f7b32b)

v5.8.6

Compare Source

Bug Fixes

• types: add poolable to count options (#​10938) (b3d2849)

---

Renovate configuration

📅 Schedule: "" in timezone Australia/Melbourne.

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot. View repository job log here.