Skip to content

chore(deps): update dependency typeorm to v0.3.26 [security]#607

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-typeorm-vulnerability
Open

chore(deps): update dependency typeorm to v0.3.26 [security]#607
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-typeorm-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Oct 31, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
typeorm (source) 0.3.200.3.26 age confidence

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

CVE-2025-60542 / GHSA-q2pj-6v73-8rgj

More information

Details

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Severity

  • CVSS Score: 8.9 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

typeorm/typeorm (typeorm)

v0.3.26

Compare Source

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

The list below is the set of commits between 0.3.30 and 1.0.0 — fixes already shipped on the 0.3.x line are listed under their respective 0.3.x entries below.

Bug Fixes
  • cascade: propagate withDeleted to relation-id loader for many-to-many recover (#​12287) (cfba9e7)
  • cascade: support cascade remove for OneToMany relations with composite PKs (#​12286) (09183c8)
  • cli: preserve devDependencies needed by init command in published package (#​12281) (c3b771c)
  • cockroachdb: preserve structured query results during txn retry replay (#​11861) (09db48c)
  • codemod: apply find-options select/relations rewrites to .exists() too (#​12399) (4461063)
  • codemod: correct relation-count guidance and flag loadRelationCountAndMap (#​12374) (5de5490)
  • codemod: cover ColumnMetadata args.options in column option rewrites (#​12400) (7a68cf2)
  • codemod: exclude type declarations from build (#​12292) (4c645f0)
  • codemod: handle aliases, quoted keys, and ObjectProperty variants (#​12377) (2d15644)
  • codemod: handle lock option objects correctly and increase test coverage (#​12353) (b871719)
  • codemod: handle typeof type queries and use getStringValue consistently (#​12379) (dedea37)
  • codemod: harden destructure and DI accessor rewrites for connection to dataSource rename (#​12398) (057ddbc)
  • codemod: harden scope and type-name detection across more AST shapes (#​12394) (9d1fd8d)
  • codemod: harden scope, idempotency, and import-strip semantics (#​12391) (ed5a19b)
  • codemod: recognize typeorm deep-path imports (#​12382) (a96b097)
  • codemod: rename .connection on EntityMetadata, ColumnMetadata, IndexMetadata (#​12383) (8a51e30), closes #​12249
  • codemod: rewrite typeorm re-exports in barrel files (#​12373) (25f0b5f)
  • codemod: scope v1 transforms to typeorm imports and skip .d.ts files (#​12372) (a34fdb2)
  • codemod: track DataSource accessor chains for typed-variable renames (#​12385) (14a3132)
  • copy cordova query rows affected into query result (#​10873) (ad22c10)
  • disable global order for aggregate functions (#​11925) (2efb2a1)
  • do not run npm install during CLI init (#​12386) (66aa930)
  • docs: add lunr as explicit dependency for pnpm strict hoisting (f4d435e)
  • docs: align code style (#​12081) (5f6eb4c)
  • docs: complete Typesense removal missed during cherry-pick (eb7a5b6)
  • docs: update docs pnpm lockfile for new dependencies (4123db9)
  • eager load relation strategy (#​11326) (5797d97)
  • enhance upsert functionality for proper sql generation with table alias (#​11915) (42ce630)
  • expo: auto-load expo-sqlite driver via loadDependencies() (#​12363) (212c8ef)
  • fix up change detection with date transformer (#​11963) (e3e3c97)
  • fix up generated query with .update() (#​11993) (fe6c072)
  • fix up join attributes inside bracket (#​11218) (d233daa)
  • fix up map objects comparison (#​10990) (f66eee7)
  • fix up save with eagerly loaded relation (#​11975) (f5cea95)
  • fix working with tables with quotes in the names for postgres and cockroachdb (#​10993) (e5a8afb)
  • handle re-save of postgres geometric types (#​11857) (65dea3c)
  • handle relation ids in nested embedded entities (#​11942) (5237bee)
  • include joined entity primary keys in pagination subquery (#​11669) (4ffe666)
  • make shorten method to properly work with camelCase_aliases (#​11283) (8a9a376)
  • merging into an entity now respects null values (#​11154) (1676484)
  • metadata-builder: deferrable for many to many (#​11924) (910fae7)
  • mongo: correctly process embedded arrays of nested documents (#​10940) (bfc293f)
  • mongodb: translate ObjectIdColumn property name to _id in find queries (#​12200) (4decab5)
  • mysql: getVersion returning undefined for PolarDB-X 2.0 (#​11837) (fdcbcba)
  • persistence: handle non-nullable FK in orphaned row nullification (#​11982) (b9aa835)
  • postgres,cockroachdb: load enum values in declaration order (#​12404) (bfa9963)
  • postgres,cockroachdb: use parameterized queries in clearDatabase() (#​12185) (1abf6e7)
  • postgres: execute remaining relation-load and persistence paths sequentially to avoid pg 8.19.0 deprecation (#​12421) (ed9bcb9)
  • postgres: handle timestamptz persistence/hydration correctly (#​11774) (c26fc33)
  • prevent eager relations from being joined twice when explicitly specified (#​11991) (1fa4129)
  • properly escape column alias in orderBy (#​12027) (b975297)
  • query stack trace for mysql/mssql (#​12056) (24677a1)
  • query-builder: follow-up fixes for eager load relation strategy (#​12256) (0801b85)
  • query-builder: resolve alias collision for self-referencing relations with query load strategy (#​11066) (bf6e1ef)
  • query-builder: resolve column lookup when using database column name in addOrderBy (#​11904) (0ebc7e5)
  • query-builder: validate orderBy condition values at runtime (#​12217) (93eec63)
  • query-runner: parameterize queries and escape identifiers to prevent SQL injection (#​12207) (e2284d8)
  • query-runner: parameterize SQL queries across all drivers (#​12197) (c7ea070)
  • raw select query with correctly ordered selected columns (#​11902) (b0dd92d)
  • remove error handling for *-to-many in createPropertyPath (#​11119) (9792beb)
  • remove whitespaces in log query (#​12047) (417593e)
  • resolve issue order subquery column (Cannot get metadata of given alias) (#​11343) (77b6ca9)
  • resolve nameless TableForeignKey on drop foreign key (#​10744) (1a98424)
  • schema: sort composite FK columns to match referenced PK index order (#​12280) (3e32686)
  • security: validate limit() in Update/SoftDelete query builders (#​12436) (9284c16)
  • soft deletion should not update the already soft deleted rows (#​10705) (60b10c8)
  • sqlite: handle simple-enum arrays correctly (#​11865) (73227bc)
  • switch to type imports and exports whenever possible (#​12044) (ad4e806)
  • test: clean up schema-builder test entities and code smells (#​12324) (fd7d3ed)
  • test: replace hardcoded IDs and names with entity references in closure-table test (#​12289) (4f18b34)
  • types: add proper entity typing for queryBuilder.update (#​11296) (7084240)
  • update child's mpath (#​10844) (6f3788b)
  • update RelationIdLoader to use DriverUtils.getAlias (#​11228) (cd7ab97)
  • upsert: handle update false or generatedType properly (#​12030) (21664d5)
  • use file reference for typeorm in playground to prevent false dependabot alerts (#​12438) (7e559d7)
  • use subquery with join map one methods (#​11943) (710d176)
  • ValueTransformer: transform FindOperators in ApplyValueTransformers (#​11172) (54cc6c4)
Features
  • add better typing for conditions in increment and decrement of EntityManager (#​11294) (2260718)
  • add codemod package for automated v1 migration (#​12233) (2ee2190)
  • add deferrable support to exclusion decorator to mirror unique and index decorators (#​11802) (441a000)
  • add encryption key for React Native (#​11736) (c70a65b)
  • add error handling and log warning for ormconfig loading failures (#​11871) (f2547e1)
  • add modern migrations tooling gsoc project (#​11958) (24977e3)
  • add support for installing additional postgres extensions (#​11888) (fbb625b)
  • add support for table comments in SAP HANA (#​11939) (e71108f)
  • aurora-postgres: transaction isolation level support (#​12334) (e899d8f)
  • ci: switch to npm trusted publishing with nightly support (#​11986) (c5680ce)
  • codemod: detect incompatible ecosystem packages and bump dependency versions (#​12360) (2060a5b)
  • codemod: flag FileLogger usage with non-absolute logPath (#​12361) (b2759bd)
  • codemod: flag removed ConnectionManager class constructions (#​12376) (43b8d0b), closes #​12373
  • codemod: flag removed FindOneOptions/FindManyOptions join property (#​12375) (f4f762e)
  • codemod: rename ConnectionOptionsReader.all() to get() and flag path semantics change (#​12362) (8ba2d25)
  • docs: add Geist Mono as monospace font for code snippets (ecec06f)
  • docs: add maintainers landing page and homepage section (d240233)
  • docs: add maintainers page to main navbar (5662b27)
  • docs: add Sofia Sans and Geist typography via Google Fonts (ff5cc26)
  • docs: replace emoji icons with Lucide React and simplify section colors (83c3d8b)
  • gsoc 2026 idea list (#​11953) (5d422ad)
  • invalid-where-values-behavior: make throw the default (#​11710) (c6745f3)
  • mongodb: implement object-based select projection for find methods (#​12237) (7171643)
  • mysql: update query types to include named parameters (#​11798) (c7a3962)
  • postgres: add support for PostgreSQL indices (#​11318) (22ed3ec)
  • postgres: use ADD VALUE when changing enum values if possible (#​10956) (f1be21e)
  • qodo: enable new review experience (#​11909) (c645209)
  • QueryRunner: add ifExists parameter to all drop methods (#​12121) (3e47ee2)
  • sap: add support for generated column in SAP HANA (#​12393) (c35378f)
  • spanner: implement transaction isolation level support (#​12335) (530ee52)
  • sqlite: add support for jsonb column type in SQLite (#​11933) (0b8e937)
  • support INSERT INTO ... SELECT FROM ... in QueryBuilder (#​11896) (8fc0915)
  • support cascade truncate in clear() method (#​11866) (ef596c3)
  • support explicit resource management in QueryRunner (#​11701) (4ad74e1)
  • transactions: add isolationLevel option to DataSource for all drivers (#​12269) (950ce01)
Performance Improvements
BREAKING CHANGES
  • TypeORM is now compiled for ECMAScript 2023, meaning old versions of Node.js are no longer supported. The minimum supported version of Node.js is 20.

0.3.30 (2026-05-18)

Bug Fixes
  • cockroachdb: adjust join in loadTables to load correct table columns (#​12413) (d93402e)
  • find-options: allow array values in JsonContains (#​12420) (90f169d)
  • preserve user-defined shared join columns in change set (#​12354) (0aba011)
  • scope computed-columns join to correct table in MSSQL schema query (#​12288) (6170be6)
  • scope invalidWhereValuesBehavior to high-level abstractions only (#​11878) (1e10fb8)
Reverts

0.3.29 (2026-05-08)

Bug Fixes
Features

0.3.28 (2025-12-02)

Bug Fixes
Features

0.3.27 (2025-09-19)

Bug Fixes
Features
Performance Improvements
Reverts

0.3.26 (2025-08-16)

Notes:

  • When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
    in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
  • When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
    is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.
Bug Fixes
Features
Performance Improvements

0.3.25 (2025-06-19)

Bug Fixes
Features

0.3.24 (2025-05-14)

Bug Fixes
Features
Performance Improvements

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Oct 31, 2025
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from 814208b to 1c3e2d4 Compare November 11, 2025 02:08
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from 1c3e2d4 to c888cc2 Compare November 18, 2025 19:58
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from c888cc2 to d5a5b3d Compare December 3, 2025 17:59
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from d5a5b3d to f1f9ab5 Compare December 31, 2025 14:00
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch 2 times, most recently from 18ac8be to 5b88e64 Compare January 23, 2026 17:34
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from 5b88e64 to c46475d Compare February 12, 2026 11:46
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from c46475d to 248fccc Compare March 5, 2026 14:00
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from 248fccc to 3341282 Compare March 13, 2026 14:55
@renovate renovate Bot changed the title chore(deps): update dependency typeorm to v0.3.26 [security] chore(deps): update dependency typeorm to v0.3.26 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-typeorm-vulnerability branch March 27, 2026 00:44
@renovate renovate Bot changed the title chore(deps): update dependency typeorm to v0.3.26 [security] - autoclosed chore(deps): update dependency typeorm to v0.3.26 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from 3341282 to e6e3fd6 Compare March 30, 2026 18:11
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from e6e3fd6 to c2a4a4f Compare April 8, 2026 21:12
@renovate renovate Bot changed the title chore(deps): update dependency typeorm to v0.3.26 [security] chore(deps): update dependency typeorm to v0.3.26 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency typeorm to v0.3.26 [security] - autoclosed chore(deps): update dependency typeorm to v0.3.26 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch 3 times, most recently from d24da55 to 860856b Compare May 3, 2026 19:34
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from 860856b to cc5267c Compare May 9, 2026 16:03
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch 2 times, most recently from c49d60d to e15d673 Compare June 12, 2026 15:32
@renovate renovate Bot changed the title chore(deps): update dependency typeorm to v0.3.26 [security] chore(deps): update dependency typeorm to v0.3.26 [security] - autoclosed Jul 1, 2026
@renovate renovate Bot closed this Jul 1, 2026
@renovate renovate Bot changed the title chore(deps): update dependency typeorm to v0.3.26 [security] - autoclosed chore(deps): update dependency typeorm to v0.3.26 [security] Jul 1, 2026
@renovate renovate Bot reopened this Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from e15d673 to b43c9fc Compare July 1, 2026 22:53
@renovate renovate Bot force-pushed the renovate/npm-typeorm-vulnerability branch from b43c9fc to 3f92033 Compare July 12, 2026 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants