New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency knex to v2 [security] #75

Open

renovate wants to merge 1 commit into master from renovate/npm-knex-vulnerability

renovate bot commented Nov 11, 2019 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
knex (source)	`0.14.2` -> `2.4.0`

GitHub Vulnerability Alerts

CVE-2019-10757

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

CVE-2016-20018

Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query. This vulnerability has been fixed in version 2.4.0.

Release Notes

knex/knex (knex)

`v2.4.0`

New features:

Support partial unique indexes #5316
Make compiling SQL in error message optional #5282

Bug fixes

Insert array into json column #5321
Fix unexpected max acquire-timeout #5377
Fix: orWhereJson #5361
MySQL: Add assertion for basic where clause not to be object or array #1227
SQLite: Fix changing the default value of a boolean column in SQLite #5319

Typings:

add missing type for 'expirationChecker' on PgConnectionConfig #5334

`v2.3.0`

New features:

PostgreSQL: Explicit jsonb support for custom pg clients #5201
SQLite: Support returning with sqlite3 and better-sqlite3 #5285
MSSQL: Implement mapBinding mssql dialect option #5292

Typings:

Update types for TS 4.8 #5279
Fix typo #5267
Fix WhereJsonObject withCompositeTableType #5306
Fix AnalyticFunction type #5304
Infer specific column value type in aggregations #5297

`v2.2.0`

New features:

Inline primary key creation for postgres flavours #5233
SQLite: Add warning for undefined connection file #5223
MSSQL: Add JSON parameter support for connection #5200

Bug fixes:

PostgreSQL: add primaryKey option for uuid #5212

Typings:

Add promisable and better types #5222
Update raw query bind parameter type #5208

`v2.1.0`

New features:

Improve bundling experience to safely import dialects while using static paths #5142
Implement extendable builders #5041
PostgreSQL: Refresh materialized view concurrently #5166

Bug fixes:

Use correct paths in package.json browser field #5174
MariaDB: Fix 'NULL' returned instead of NULL on MariaDB 10.2.6+ #5181
MySQL: fix hasColumn Error (hasColumn ('a_id') is true, but hasColumn('a_Id') is false) #5148
MSSQL: Fix .hasTable result when using .withSchema #5176
Oracle: correctly INSERTS Buffer #4869

Typings:

Update type definitions for pg connection #5139

`v2.0.0`

Breaking changes

Restore sqlite3 package #5136

Test / internal changes:

Migrate Husky from 4 to 7 #5137
Migrate Jake to 10.8.5 #5138

`v1.0.7`

Bug fixes:

CLI: Fix cli migrate:make SQLite dependency #5106

`v1.0.6`

Bug fixes:

PostgreSQL: Wait for search path to be set before returning connection #5107
CLI: No client override during migrate:make #5109

`v1.0.5`

New features:

Override knexfile options with CLI options #4047

Bug fixes:

Stringify json value in update #5063
Fix isModuleType() for yarn #4447
Wrapped Unions Fixes #5072
SQLite: Fix @vscode-sqlite3 error message #5081
CLI: Fix completed migration listing #5060

Typings:

Make default generic parameters of Knex match the generic parameter types of knex #5021
Update knex types for TS 4.7 #5095

`v1.0.4`

New features:

Add whereLike functions #5044

Bug fixes:

Fix orWhereJsonPath clause #5022
Subquery in on clause missing parenthesis #5049
Rework Union Wrapping #5030
Oracle: Fix batch inserts with DEFAULT values with OracleDB #2592 #5037

Typings:

Fix types for "returning" methods #5031
createTableLike callback should be optional #5055

Documentation:

Website URL changed to https://knex.github.io/documentation/

`v1.0.3`

Bug fixes:

Fix error message for missing migration files #4937
Add withMaterialized and withNotMaterialized to method-constants #5009
PostgreSQL: Fix whereJsonPath queries #5011
PostgreSQL: Fix delete joins #5016
CockroachDB: Fix whereJsonPath queries #5011
MySQL: Create primary keys in same statement #5017

Typings:

Fix type definition for getMigration in MigrationSource #4998
Fix argument type of alter method #4996

Improvements:

Use async / await syntax in seeds as default #5005

Documentation:

Add Firebird dialect to ECOSYSTEM.md #5003

`v1.0.2`

New features:

Support of MATERIALIZED and NOT MATERIALIZED with WITH/CTE #4940
Add raw support in onConflict clause #4960
Alter nullable constraint when alterNullable is set to true #4730
Add alterType parameter for alter function #4967
Support string json in json values #4988
MySQL: add with clause #4508

Bug fixes:

Fix error message for missing migration files #4937
Move deferrable to after on update/on delete #4976
Do not use sys.tables to find if a table exists #2328
PostgreSQL: Fix Order nulls #4989
MySQL: Fix collation when renaming column #2666
SQLite: Same boolean handling in better-sqlite3 as in sqlite3 #4982

Typings:

WhereILike - fix typo #4941

`v1.0.1`

Bug fixes:

Fix package.json metadata

`v1.0.0`

Breaking changes

Dropped support for Node 10;
Replaced unsupported sqlite3 driver with @vscode/sqlite3;
Changed data structure from RETURNING operation to be consistent with SELECT;
Changed Migrator to return list of migrations as objects consistently.

New features:

Support fromRaw #4781
Support zero precision in timestamp/datetime #4784
Support whereLike and whereILike #4779
Add JSDoc (TS flavor) to stub files #4809
Allow skip binding in limit and offset #4811
Support creating a new table in the database based on another table #4821
Accept Raw on onIn joins #4830
Implement support for custom seed sources #4842
Add binary uuid option #4836
ForUpdate array parameter #4882
Add camel case to timestamps method #4803
Advanced JSON support #4859
Add type to TypeScript knexfile #4909
Checks Constraints Support #4874
Support creating multiple PKs with increments #4903
Enable wrapIdentifier for SQLite .hasTable #4915
MSSQL: Add support for unique constraint #4887
SQLite: New dialect, using better-sqlite3 driver #4871
SQLite: Switch to @vscode/sqlite3 #4866
SQLite: Support createViewOrReplace #4856
SQLite: Support RETURNING statements for better-sqlite3 driver #4934
PostgreSQL: Support JOIN and USING syntax for Delete Statement #4800

Bug fixes:

Fix overzealous warning on use of whereNot with "in" or "between" #4780
Fix Union all + first syntax error #4799
Make view columns optional in create view like #4829
Insert lock row fix during migration #4865
Fix for createViewOrReplace #4856
SQLite: Fix foreign key constraints when altering a table #4189
MySQL: Validate connection fix #4794
MySQL: Set comment size warning limit to 1024 #4867

Typings:

Allow string indexType in index creation #4791
Add missing ints typings #4832
Returning method types #4881
Improve columnInfo type #4868

`v0.95.15`

Bug fixes:

Oracle:
MariaDB: lock row fix during migration in MariaDB and Oracle #4865

`v0.95.14`

Bug fixes:

MySQL: mysql2 dialect validate connection fix #4794

`v0.95.13`

Bug fixes:

PostgreSQL: Support zero precision in timestamp/datetime #4784

Typings:

Allow string indexType in index creation #4791

`v0.95.12`

New features:

New dialect: CockroachDB #4742
New dialect: pg-native #4327
CockroachDB: add support for upsert #4767
PostgreSQL: Support SELECT .. FOR NO KEY UPDATE / KEY SHARE row level locking clauses #4755
PostgreSQL: Add support for 'CASCADE' in PostgreSQL 'DROP SCHEMA' queries #4713
MySQL: Add storage engine index Type support to index() and unique() schema #4756
MSSQL: Support table.primary, table.unique variant with options object #4710
SQLite: Add setNullable support to SQLite #4684
Add geometry column building #4776
Add support for creating table copies #1373
Implement support for views and materialized views #1626
Implement partial index support #4768
Support for 'is null' in 'order by' #3667

Bug fixes:

Fix support for Oracle connections passed via knex.connection() #4757
Avoid inserting multiple locks if a migration lock already exists #4694

Typings:

Some TableBuilder methods return wrong types #4764
Update JoinRaw bindings type to accept arrays #4752
fix onDelete/onUpdate for ColumnBuilder #4656

`v0.95.11`

New features:

Add support for nullability modification via schema builder (table.setNullable() and table.dropNullable()) #4657
MySQL: Add support for mysql/mariadb-client JSON parameters in connectionURIs #4629
MSSQL: Support comments as MS_Description properties #4632

Bug fixes:

Fix Analytic orderBy and partitionBy to follow the SQL documentation #4602
CLI: fix migrate:up for migrations disabling transactions #4550
SQLite: Fix adding a column with a foreign key constraint in SQLite #4649
MSSQL: columnInfo() support case-sensitive database collations #4633
MSSQL: Generate valid SQL for withRecursive() #4514
Oracle: withRecursive: omit invalid RECURSIVE keyword, include column list #4514

Improvements:

Add .mjs migration and seed stubs #4631
SQLite: Clean up DDL handling and move all operations to the parser-based approach #4648

`v0.95.10`

Improvements:

Use sys info function instead of connection db name #4623

Typings:

Deferrable and withkeyName should not be in ColumnBuilder #4600

`v0.95.9`

New features:

Oracle: support specifying schema for dropTable and dropSequence #4596
Oracle: support specifying schema for autoincrement #4594

Typings:

Add TypeScript support for deferrable, new Primary/Unique syntax #4589

`v0.95.8`

New features:

Add deferrable support for constraint #4584
Implement delete with join #4568
Add DPI error codes for Oracle #4536

Bug fixes:

Fixing PostgreSQL datetime and timestamp column created with wrong format #4578

Typings:

Improve analytic types #4576
MSSQL: Add trustServerCertificate option #4500

`v0.95.7`

New features:

Add ability to omit columns on an onConflict().ignore() #4557
CLI: Log error message #4534

Typings:

Export Knex.TransactionConfig #4498
Include options object in count(Distinct) typings #4491
Add types for analytic functions #4544

`v0.95.6`

Typings:

Export TransactionProvider type #4489

`v0.95.5`

New features:

SQLite: Add support for file open flags #4446
Add .cjs extension to Seeder.js to support Node ESM #4381 #4382

Bug fixes:

Remove peerDependencies to avoid auto-install on npm 7 #4480

Typings:

Fix typing for increments and bigIncrements #4406
Add typings for on JoinClause for onVal #4436
Adding Type Definition for isTransaction #4418
Export client class from knex namespace #4479

`v0.95.4`

Typings:

Fix mistyping of stream #4400

`v0.95.3`

New features:

PostgreSQL: Add "same" as operator #4372
MSSQL: Improve an estimate of the max comment length #4362
Throw an error if negative offset is provided #4361

Bug fixes:

Fix timeout method #4324
SQLite: prevent dropForeign from being silently ignored #4376

Typings:

Allow config.client to be non-client instance #4367
Add dropForeign arg type for single column #4363
Update typings for TypePreservingAggregation and stream #4377

`v0.95.2`

New features:

Improve ESM import support #4350

Bug fixes:

CLI: update ts.stub files to new TypeScript namespace #4344
CLI: fix TypeScript migration stub after 0.95.0 changes #4366

Typings:

Move QueryBuilder and KnexTimeoutError into knex namespace #4358

Test / internal changes:

Unify db test helpers #4356

`v0.95.1`

Bug fixes:

Oracle:
MariaDB: lock row fix during migration in MariaDB and Oracle #4865

`v0.95.0`

Note: there are many breaking changes in this version, particularly in TypeScript support. Please see UPGRADING.md for details.

New features:

Add transaction isolation support #4185
Add analytic functions #4188
Change default to not trigger a promise rejection for transactions with a specified handler #4195
Make toSQL().toNative() work for Raw to match the API for QueryBuilder #4058
Allow 'match' operator #3569
Support optimizer hints #4243
Add parameter to prevent autoincrement columns from being primary keys #4266
Make "first" and "pluck" mutually exclusive #4280
Added merge strategy to allow selecting columns to upsert. #4252
Throw error if the array passed to insert is empty #4289
Events: introduce queryContext on query-error #4301
CLI: Use UTC timestamp for new migrations #4245
MSSQL: Replace MSSQL dialect with Tedious.js implementation #2857 #4281
MSSQL: Use "nvarchar(max)" for ".json()" #4278
MSSQL: Schema builder - add predictable constraint names for default values #4319
MSSQL: Schema builder - attempt to drop default constraints when changing default value on columns #4321
SQLite: Fallback to json for sqlite3 when using jsonb #4186
SQLite: Return complete list of DDL commands for creating foreign keys #4194
SQLite: Support dropping composite foreign keys #4202
SQLite: Recreate indices when altering a table #4277
SQLite: Add support for altering columns #4322

Bug fixes:

Fix issue with .withSchema usage with joins on a subquery #4267
Fix issue with schema usage with FROM clause contain QueryBuilder, function or Raw #4268
CLI: Address raised security warnings by dropping liftoff #4122
CLI: Fix an issue with npm@7 and ESM when type was set to 'module' in package.json #4295
PostgreSQL: Add check to only create native enum once #3658
SQLite: Fix foreign key "on delete" when altering a table #4225
SQLite: Made the constraint detection case-insensitive #4330
MySQL: Keep auto increment after rename #4266
MSSQL: don't raise query-error twice #4314
MSSQL: Alter column must have its own query #4317

Typings:

TypeScript 4.1+ is now required
Add missing onConflict overrides #4182
Introduce the "infamous triplet" export #4181
Fix type definition of Transaction #4172
Add typedefinitions for havingNotIn #4265
Include 'name' property in MigratorConfig #4300
Improve join and conflict types #4318
Fix ArrayIfAlready type #4331

Test / internal changes:

Drop global Knex.raw #4180
Stop using legacy url.parse API #3702
Various internal refactorings #4175 #4177 #4178 #4192
Refactor to classes #4190 #4191 #4193 #4210 #4253
Move transaction type tests to TSD #4208
Clean up destroy logic #4248
Colorize code snippets in readme files #4234
Add "Ecosystem" documentation for Knex plugins #4183
Documentation cleanup
SQLite: Use SQLite "rename column" instead of a DDL helper #4200
SQLite: Simplify reinsert logic when altering a table #4272

`v0.21.21`

`v0.21.20`

`v0.21.19`

SQLite: Made the constraint detection case-insensitive #4332

`v0.21.18`

CLI: Fix an issue with npm@7 and ESM when type was set to 'module' in package.json #4295

`v0.21.17`

Bug fixes:

SQLite: Fix SQLite foreign on delete when altering a table #4261

New features:

Add support for optimizer hints (see https://github.com/knex/documentation/pull/306 for documentation) #4243

`v0.21.16`

Bug fixes:

MSSQL: Avoid passing unsupported pool param. Fixes node-mssql 7+ support #4236

`v0.21.15`

New features:

SQLite: Add primary/foreign support on alterTable #4162
SQLite: Add dropPrimary/dropForeign support on alterTable #4162

Typings:

Add "after" and "first" to columnBuilder types #3549 #4169

Test / internal changes:

Extract knex config resolution logic #4166
Run CI using GitHub Actions #4168
Add Node.js 15 to CI matrix #4173

`v0.21.14`

New features:

MSSQL: support "returning" on inserts, updates and deletes on tables with triggers #4152
Use esm import if package.json type is "module" #4158

Bug fixes:

Make sure query-response and query-error events contain _knexTxId #4160

Test / internal changes:

Improved integration test framework #4161

`v0.21.13`

New features:

SQLite: Add support for dropForeign #4092
Add support for WHERE clauses to "upsert" queries #4148

Bug fixes:

MSSQL: Avoid connection getting stuck on socket hangup #4157
Oracle: Support specifying non-default DB port #4147
Oracle: Support inserts with only default values (empty body) #4092
CLI: fix irregular seed file execution order #4156
Fix performance of asyncStackTraces with enable-source-maps node flag #4154

Typings:

PostgreSQL: Add support for application_name #4153
Fix types for insert to allow array #4105
Add types for userParams and withUserParams #4119
Added type for withKeyName #4139
Fix batchInsert definitions #4131
Fix types for WhereIn signature (value or query builder) #3863
Add types for connection config of mysql2 driver #4144

Test / internal changes:

Move TS tests to tsd (WIP) #4109 #4110

`v0.21.12`

Typings:

Reintroduce support for globally defining table/record mapping #4100
Add a few missing types for MSSQL Connection #4103
Make .ignore() and .merge() return QueryBuilder rather than QueryInterface #4102
Use tarn config TS types instead of generic-pool #4064

`v0.21.11`

Typings:

Revert support for globally defining table/record mapping #4099

`v0.21.10`

New features:

Upsert support (Postgres/MySQL/Sqlite) #3763

Bug fixes:

Switch to non-uuid knexQueryUids to avoid issues when mocking global date #4089

Typings:

Allow to globally define table/record mapping #4071

`v0.21.9`

New features:

add method clear(statement) to QueryBuilder #4051

Bug fixes:

CLI: fix help text being printed twice #4072
Oracle: columnInfo() no longer requires an Owner User #4053
Add missing "start" event propagation from transaction #4087

`v0.21.8`

Bug fixes:

MSSQL: Escape properly if literal '?' is needed #4053
Make toQuery behavior consistent with pre-0.21.7 (do not break on empty builder) #4083
Fix comment escaping for MySQL and PostgreSQL #4084

`v0.21.7`

New features:

CLI: Add migration stub for .cjs extension #4065

Bug fixes:

MSSQL: Add dynamic scaling for decimal values and prevents a UInt64 overflow #3910
MSSQL: Fix apostrophe escaping #4077
Ensure that semicolon is not appended to statements that already end with a semicolon #4052

Typings:

Add arguments to QueryCallback in Where #4034

Test / internal changes:

Replace lodash type-checks with native solutions #4056
Replace mkdirp with native recursive flag #4060
Replace inherits package with builtin utility #4059

`v0.21.6`

New features:

CLI: New config parameter / CLI flag to prefixing seed filename with timestamp #3873
CLI: throw an error when specific seed file cannot be found #4011
Warn if whereNot is used with 'in' or 'between' #4038

Bug fixes:

CLI: Fix double merging of config for migrator #4040

Typings:

Unify SeedsConfig and SeederConfig #4003
Allow string[] type for directory in SeedsConfig #4033

`v0.21.5`

New features:

CLI: Improve Esm interop #3985
CLI: Improve mjs module support #3980

Test / internal changes:

Bump version of dtslint #3984
Test/document esm interop mixed formats (knexfile/migrations/seeds) #3986

`v0.21.4`

New features:

CLI: Add new option for seed: recursive #3974

Bug fixes:

CLI: Do not load seeds from subfolders recursively by default #3974

`v0.21.3`

New features:

CLI: Support multiple directories for seeds #3967

Bug fixes:

Ensure DB stream is destroyed when the PassThrough is destroyed #2324
Support postProcessResponse for streams #3931
Fix ESM module interop for calling module/package of type 'module' #3938
CLI: Fix migration source name in rollback all #3956
Fix getMergedConfig calls to include client logger #3920
Escape single quoted values passed to defaultTo function #3899

Typings:

Add .timeout(ms) to .raw()'s typescript typings #3885
Add typing for double table column builder #3950
Add a phantom tag to Ref type to mark received type parameters as used #3934
Add null as valid binding type #3946

Test / internal changes:

Change query lab link to https #3933

`v0.21.2`

New features:

Warn user if custom migration source is being reset #3839
Prefer void as return type on migration generator ts stub #3865
MSSQL: Added the removal of a columns default constraint, before dropping the column #3855

Typings:

Fix definition for raw querybuilders #3846

Test / internal changes:

Refactor migration logic to use async/await #3838

`v0.21.1`

SQLite: Made the constraint detection case-insensitive #4332

`v0.21.0`

Improvements

Reduce size of lodash in bundle #3804

Breaking changes

Dropped support for Node 8
Breaking upstream change in pg-query-stream: Changed stream.close to stream.destroy which is the official way to terminate a readable stream. This is a breaking change if you rely on the stream.close method on pg-query-stream...though should be just a find/replace type operation to upgrade as the semantics remain very similar (not exactly the same, since internals are rewritten, but more in line with how streams are "supposed" to behave).

Test / internal changes:

Updated Tarn.js to a version 3.0.0
Updated mkdirp to a version 1.0.4
Updated examples to use ES2015 style #3810

`v0.20.15`

Bug fixes:

Support for .finally(..) on knex's Promise-alikes #3800

Typings:

Add types for .distinctOn #3784

`v0.20.14`

New features:

CLI: adds support for asynchronous knexfile loading #3748
Add clearGroup method #3771

Typings:

Support Raw types for insert, where, update #3730
Add typings for MigrationSource #3756
Update signature of orderBy to support QueryBuilder inside array #3757
Add toSQL and toString to SchemaBuilder #3758
interface Knex and function Knex should have the same types #3787
Fix minor issues around typings #3765

Test / internal changes:

Minor test internal enhancements #3747
Minor improvements on the usage of fs utilities #3749
Split tests in groups #3785

`v0.20.13`

Bug fixes:

Correctly handle dateToString escaping without timezone passed #3742
Make protocol length check more defensive #3744

Typings:

Make the ChainableInterface conform to Promise #3724

`v0.20.12`

Bug fixes:

Added missing call to _reject in Transactor#transaction #3706
Fix method binding on knex proxy #3717
Oracle: Transaction_OracleDB can use config.connection #3731

Typings:

Fix incorrect type signature of Having #3719

Test / internal changes:

Cleanup/remove transaction stalling #3716
Rewrote Transaction#acquireConnection() methods to use async #3707

`v0.20.11`

Breaking changes:

Knex returns native JS promises instead of Bluebird ones. This means that you no longer use such methods as map, spread and reduce on QueryBuilder instance.

New features:

Oracle: Add OracleDB handling for buffer type in fetchAsString #3685

Bug fixes:

Fix race condition in non-container transactions #3671

Typings:

Mark knex arguments of composite/collection types to be readonly #3680

Test / internal changes:

Remove dependency on Bluebird methods from sources #3683
Cleanup and extract Transaction Workflow logic #3674

`v0.20.10`

Bug fixes:

Oracle: commit was a no-op causing race conditions #3668
CLI: Knex calls process.chdir() before opening Knexfile #3661
Fixed unresolved promise in cancelQuery() #3666

Typings:

fn.now takes optionally a precision argument. #3662
PG: Include SSL in connection definition #3659

Test / internal changes:

replace Bluebird.timeout #3634

`v0.20.9`

Bug fi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov bot commented Nov 11, 2019 •

edited

Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@b89bb6b). Click here to learn what that means.
The diff coverage is n/a.

❗ Current head 65b3d44 differs from pull request most recent head 0a452c5. Consider uploading reports for the commit 0a452c5 to get more accurate results

Additional details and impacted files

@@            Coverage Diff            @@
##             master      #75   +/-   ##
=========================================
  Coverage          ?   19.25%           
=========================================
  Files             ?       16           
  Lines             ?      187           
  Branches          ?       31           
=========================================
  Hits              ?       36           
  Misses            ?      121           
  Partials          ?       30

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b89bb6b...0a452c5. Read the comment docs.


          fix(deps): update dependency knex to v2 [security]

0a452c5

renovate bot force-pushed the renovate/npm-knex-vulnerability branch from 65b3d44 to 0a452c5 Compare

March 16, 2023 07:00

renovate bot changed the title ~~fix(deps): update dependency knex to v0.19.5 [security]~~ fix(deps): update dependency knex to v2 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet