chore(deps): update dependency typeorm to v0.3.29 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
typeorm (source)	0.3.26 → 0.3.29

---

TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB)

GHSA-9ggv-8w38-r7pm

More information

Details

Impact

Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder affecting MySQL and MariaDB users.

UpdateQueryBuilder and SoftDeleteQueryBuilder (including their addOrderBy variants) do not validate the order parameter against an allowlist of permitted values (ASC/DESC). The caller-supplied value is stored verbatim and concatenated directly into the generated SQL string without quoting or parameterization. SelectQueryBuilder.orderBy performs this validation correctly; the affected builders do not.

If any code path passes user-controlled input to orderBy/addOrderBy on an update or soft-delete query, an attacker can inject arbitrary SQL via the sort direction — even when the column name itself is hardcoded.

Demonstrated impact includes:

• Data exfiltration via time-based blind extraction (e.g. using SLEEP() to infer secret values bit by bit)
• Row targeting manipulation in queries using LIMIT patterns
• Denial of service via SLEEP()-based query exhaustion

CVSS 3.1: 8.6 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected files (relative to commit 73fda419):

• src/query-builder/UpdateQueryBuilder.ts: lines 383–419 and 718–744
• src/query-builder/SoftDeleteQueryBuilder.ts: lines 352–388 and 520–546

The vulnerability was introduced in commit 03799bd2 (v0.1.12) and is present through the latest release (v0.3.28).

Patches

A fix has been released in 0.3.29 (1b66c44) and 1.0.0 (93eec63).

Workarounds

Applications can manually validate the order argument before passing it to orderBy or addOrderBy on update or soft-delete query builders:

const direction = userInput.toUpperCase();
if (direction !== 'ASC' && direction !== 'DESC') {
  throw new Error('Invalid sort direction');
}
qb.orderBy(column, direction as 'ASC' | 'DESC');

Do not pass user-controlled values to orderBy/addOrderBy on UpdateQueryBuilder or SoftDeleteQueryBuilder without this validation.

References

• Introduced in commit 03799bd2 (v0.1.12)
• Confirmed present in v0.3.28 (commit 73fda419)
• See SelectQueryBuilder.orderBy for the correct validation pattern this fix should mirror

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/typeorm/typeorm/security/advisories/GHSA-9ggv-8w38-r7pm
• https://github.com/typeorm/typeorm/commit/1b66c44d0410bdc56a0dcefb46be41867ec0fffc
• https://github.com/typeorm/typeorm/commit/93eec630630b219b162ba4e0c072afa851697cff
• https://github.com/advisories/GHSA-9ggv-8w38-r7pm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

typeorm/typeorm (typeorm)

v0.3.29

Compare Source

What's Changed

• fix: fix up aggregate methods ambiguous column by @​Cprakhar in #​11822
• fix: prevent eager-loaded entities from overwriting manual relations by @​LeviHeber in #​11267
• fix: release query runner when there is no migration to revert by @​mjr128 in #​11232
• fix: add async to the method using setFindOptions() by @​bindon in #​10787
• chore: disable eslint errors for chai assertions by @​alumni in #​11833
• ci(tests): Remove limitation of branches to run on by @​OSA413 in #​11794
• ci: upgrade actions to v6 by @​pkuczynski in #​11844
• docs(v0.3): add version dropdown (stable/dev) by @​naorpeled in #​11863
• fix(sap): QueryBuilder parameter of type JS Date not escaped correctly by @​alumni in #​11867
• feat(sap): add pool timeout by @​alumni in #​11868
• feat(qodo): enable new review experience in v0.3 by @​naorpeled in #​11910
• feat: add returning option to update/upsert operations by @​naorpeled in #​11782
• test: enable repository-returning test by @​gioboa in #​11913
• chore(qodo): disable in progress notification in v0.3 by @​naorpeled in #​11928
• ci(docs): add deploy Github Action to v0.3 branch by @​naorpeled in #​11929
• chore(qodo): disable persistent comments and inline code suggestions in v0.3 by @​naorpeled in #​11989
• chore(deps): update all dependencies to the latest minor version by @​alumni in #​12015
• fix(redis): redis cache version detection by @​mguida22 in #​11936
• ci: remove summary comments location policy by @​naorpeled in #​12117
• ci(qodo): remove /improve from pr and push commands by @​naorpeled in #​12129
• ci: migrate from npm to pnpm by @​pkuczynski in #​12193
• ci(qodo): sync qodo pr agent config from master by @​naorpeled in #​12265
• ci: remove docs indexing by @​alumni in #​12435
• fix(security): validate limit() in Update/SoftDelete query builders by @​smith-xyz in #​12437
• chore(deps): update all minor by @​alumni in #​12443
• chore(release): release 0.3.29 by @​michaelbromley in #​12442

New Contributors

• @​LeviHeber made their first contribution in #​11267
• @​mjr128 made their first contribution in #​11232
• @​bindon made their first contribution in #​10787

Full Changelog: typeorm/typeorm@0.3.28...0.3.29

v0.3.28

Compare Source

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

The list below is the set of commits between 0.3.30 and 1.0.0 — fixes already shipped on the 0.3.x line are listed under their respective 0.3.x entries below.

• feat!: drop support for node 16 and 18 (#​11382) (349d910), closes #​11382

Bug Fixes

• cascade: propagate withDeleted to relation-id loader for many-to-many recover (#​12287) (cfba9e7)
• cascade: support cascade remove for OneToMany relations with composite PKs (#​12286) (09183c8)
• cli: preserve devDependencies needed by init command in published package (#​12281) (c3b771c)
• cockroachdb: preserve structured query results during txn retry replay (#​11861) (09db48c)
• codemod: apply find-options select/relations rewrites to .exists() too (#​12399) (4461063)
• codemod: correct relation-count guidance and flag loadRelationCountAndMap (#​12374) (5de5490)
• codemod: cover ColumnMetadata args.options in column option rewrites (#​12400) (7a68cf2)
• codemod: exclude type declarations from build (#​12292) (4c645f0)
• codemod: handle aliases, quoted keys, and ObjectProperty variants (#​12377) (2d15644)
• codemod: handle lock option objects correctly and increase test coverage (#​12353) (b871719)
• codemod: handle typeof type queries and use getStringValue consistently (#​12379) (dedea37)
• codemod: harden destructure and DI accessor rewrites for connection to dataSource rename (#​12398) (057ddbc)
• codemod: harden scope and type-name detection across more AST shapes (#​12394) (9d1fd8d)
• codemod: harden scope, idempotency, and import-strip semantics (#​12391) (ed5a19b)
• codemod: recognize typeorm deep-path imports (#​12382) (a96b097)
• codemod: rename .connection on EntityMetadata, ColumnMetadata, IndexMetadata (#​12383) (8a51e30), closes #​12249
• codemod: rewrite typeorm re-exports in barrel files (#​12373) (25f0b5f)
• codemod: scope v1 transforms to typeorm imports and skip .d.ts files (#​12372) (a34fdb2)
• codemod: track DataSource accessor chains for typed-variable renames (#​12385) (14a3132)
• copy cordova query rows affected into query result (#​10873) (ad22c10)
• disable global order for aggregate functions (#​11925) (2efb2a1)
• do not run npm install during CLI init (#​12386) (66aa930)
• docs: add lunr as explicit dependency for pnpm strict hoisting (f4d435e)
• docs: align code style (#​12081) (5f6eb4c)
• docs: complete Typesense removal missed during cherry-pick (eb7a5b6)
• docs: update docs pnpm lockfile for new dependencies (4123db9)
• eager load relation strategy (#​11326) (5797d97)
• enhance upsert functionality for proper sql generation with table alias (#​11915) (42ce630)
• expo: auto-load expo-sqlite driver via loadDependencies() (#​12363) (212c8ef)
• fix up change detection with date transformer (#​11963) (e3e3c97)
• fix up generated query with .update() (#​11993) (fe6c072)
• fix up join attributes inside bracket (#​11218) (d233daa)
• fix up map objects comparison (#​10990) (f66eee7)
• fix up save with eagerly loaded relation (#​11975) (f5cea95)
• fix working with tables with quotes in the names for postgres and cockroachdb (#​10993) (e5a8afb)
• handle re-save of postgres geometric types (#​11857) (65dea3c)
• handle relation ids in nested embedded entities (#​11942) (5237bee)
• include joined entity primary keys in pagination subquery (#​11669) (4ffe666)
• make shorten method to properly work with camelCase_aliases (#​11283) (8a9a376)
• merging into an entity now respects null values (#​11154) (1676484)
• metadata-builder: deferrable for many to many (#​11924) (910fae7)
• mongo: correctly process embedded arrays of nested documents (#​10940) (bfc293f)
• mongodb: translate ObjectIdColumn property name to _id in find queries (#​12200) (4decab5)
• mysql: getVersion returning undefined for PolarDB-X 2.0 (#​11837) (fdcbcba)
• persistence: handle non-nullable FK in orphaned row nullification (#​11982) (b9aa835)
• postgres,cockroachdb: load enum values in declaration order (#​12404) (bfa9963)
• postgres,cockroachdb: use parameterized queries in clearDatabase() (#​12185) (1abf6e7)
• postgres: execute remaining relation-load and persistence paths sequentially to avoid pg 8.19.0 deprecation (#​12421) (ed9bcb9)
• postgres: handle timestamptz persistence/hydration correctly (#​11774) (c26fc33)
• prevent eager relations from being joined twice when explicitly specified (#​11991) (1fa4129)
• properly escape column alias in orderBy (#​12027) (b975297)
• query stack trace for mysql/mssql (#​12056) (24677a1)
• query-builder: follow-up fixes for eager load relation strategy (#​12256) (0801b85)
• query-builder: resolve alias collision for self-referencing relations with query load strategy (#​11066) (bf6e1ef)
• query-builder: resolve column lookup when using database column name in addOrderBy (#​11904) (0ebc7e5)
• query-builder: validate orderBy condition values at runtime (#​12217) (93eec63)
• query-runner: parameterize queries and escape identifiers to prevent SQL injection (#​12207) (e2284d8)
• query-runner: parameterize SQL queries across all drivers (#​12197) (c7ea070)
• raw select query with correctly ordered selected columns (#​11902) (b0dd92d)
• remove error handling for *-to-many in createPropertyPath (#​11119) (9792beb)
• remove whitespaces in log query (#​12047) (417593e)
• resolve issue order subquery column (Cannot get metadata of given alias) (#​11343) (77b6ca9)
• resolve nameless TableForeignKey on drop foreign key (#​10744) (1a98424)
• schema: sort composite FK columns to match referenced PK index order (#​12280) (3e32686)
• security: validate limit() in Update/SoftDelete query builders (#​12436) (9284c16)
• soft deletion should not update the already soft deleted rows (#​10705) (60b10c8)
• sqlite: handle simple-enum arrays correctly (#​11865) (73227bc)
• switch to type imports and exports whenever possible (#​12044) (ad4e806)
• test: clean up schema-builder test entities and code smells (#​12324) (fd7d3ed)
• test: replace hardcoded IDs and names with entity references in closure-table test (#​12289) (4f18b34)
• types: add proper entity typing for queryBuilder.update (#​11296) (7084240)
• update child's mpath (#​10844) (6f3788b)
• update RelationIdLoader to use DriverUtils.getAlias (#​11228) (cd7ab97)
• upsert: handle update false or generatedType properly (#​12030) (21664d5)
• use file reference for typeorm in playground to prevent false dependabot alerts (#​12438) (7e559d7)
• use subquery with join map one methods (#​11943) (710d176)
• ValueTransformer: transform FindOperators in ApplyValueTransformers (#​11172) (54cc6c4)

Features

• add better typing for conditions in increment and decrement of EntityManager (#​11294) (2260718)
• add codemod package for automated v1 migration (#​12233) (2ee2190)
• add deferrable support to exclusion decorator to mirror unique and index decorators (#​11802) (441a000)
• add encryption key for React Native (#​11736) (c70a65b)
• add error handling and log warning for ormconfig loading failures (#​11871) (f2547e1)
• add modern migrations tooling gsoc project (#​11958) (24977e3)
• add support for installing additional postgres extensions (#​11888) (fbb625b)
• add support for table comments in SAP HANA (#​11939) (e71108f)
• aurora-postgres: transaction isolation level support (#​12334) (e899d8f)
• ci: switch to npm trusted publishing with nightly support (#​11986) (c5680ce)
• codemod: detect incompatible ecosystem packages and bump dependency versions (#​12360) (2060a5b)
• codemod: flag FileLogger usage with non-absolute logPath (#​12361) (b2759bd)
• codemod: flag removed ConnectionManager class constructions (#​12376) (43b8d0b), closes #​12373
• codemod: flag removed FindOneOptions/FindManyOptions join property (#​12375) (f4f762e)
• codemod: rename ConnectionOptionsReader.all() to get() and flag path semantics change (#​12362) (8ba2d25)
• docs: add Geist Mono as monospace font for code snippets (ecec06f)
• docs: add maintainers landing page and homepage section (d240233)
• docs: add maintainers page to main navbar (5662b27)
• docs: add Sofia Sans and Geist typography via Google Fonts (ff5cc26)
• docs: replace emoji icons with Lucide React and simplify section colors (83c3d8b)
• gsoc 2026 idea list (#​11953) (5d422ad)
• invalid-where-values-behavior: make throw the default (#​11710) (c6745f3)
• mongodb: implement object-based select projection for find methods (#​12237) (7171643)
• mysql: update query types to include named parameters (#​11798) (c7a3962)
• postgres: add support for PostgreSQL indices (#​11318) (22ed3ec)
• postgres: use ADD VALUE when changing enum values if possible (#​10956) (f1be21e)
• qodo: enable new review experience (#​11909) (c645209)
• QueryRunner: add ifExists parameter to all drop methods (#​12121) (3e47ee2)
• sap: add support for generated column in SAP HANA (#​12393) (c35378f)
• spanner: implement transaction isolation level support (#​12335) (530ee52)
• sqlite: add support for jsonb column type in SQLite (#​11933) (0b8e937)
• support INSERT INTO ... SELECT FROM ... in QueryBuilder (#​11896) (8fc0915)
• support cascade truncate in clear() method (#​11866) (ef596c3)
• support explicit resource management in QueryRunner (#​11701) (4ad74e1)
• transactions: add isolationLevel option to DataSource for all drivers (#​12269) (950ce01)

Performance Improvements

• cockroachdb: batch DROP statements in clearDatabase() (#​12159) (d494489)
• postgres: batch DROP statements in clearDatabase() (#​12164) (c4dc431)

BREAKING CHANGES

• TypeORM is now compiled for ECMAScript 2023, meaning old versions of Node.js are no longer supported. The minimum supported version of Node.js is 20.

0.3.30 (2026-05-18)

Bug Fixes

• cockroachdb: adjust join in loadTables to load correct table columns (#​12413) (d93402e)
• find-options: allow array values in JsonContains (#​12420) (90f169d)
• preserve user-defined shared join columns in change set (#​12354) (0aba011)
• scope computed-columns join to correct table in MSSQL schema query (#​12288) (6170be6)
• scope invalidWhereValuesBehavior to high-level abstractions only (#​11878) (1e10fb8)

Reverts

• fix up limit with joins (#​11987) (66f1ff8)

0.3.29 (2026-05-08)

Bug Fixes

• add async to the method using setFindOptions() (#​10787) (cc07c90)
• change import for process dependency (#​11248) (1c67c3b)
• cli: init command loading non-existing package.json (#​11947) (4d9d1a6)
• fix up aggregate methods ambiguous column (#​11822) (6e34756)
• fix up limit with joins (#​11987) (3657db8)
• getPendingMigrations unnecessarily creating migrations table (#​11672) (1dbc224)
• postgres: execute queries sequentially to avoid pg 8.19.0 deprecation warning (#​12105) (79829a0)
• prevent columns with select false from being returned (#​11944) (6b20831)
• prevent eager-loaded entities from overwriting manual relations (#​11267) (2d8c515)
• propagate schema and database to closure junction table (#​12110) (58b403f)
• redis: redis cache version detection (#​11936) (f22c7a2)
• release query runner when there is no migration to revert (#​11232) (a46eb0a)
• sap: QueryBuilder parameter of type JS Date not escaped correctly (#​11867) (5153436)
• security: validate limit() in Update/SoftDelete query builders (#​12437) (0d7991a)
• virtual property handling in schema builder (#​11000) (5bd3255)

Features

• add returning option to update/upsert operations (#​11782) (11d9767)
• sap: add pool timeout (#​11868) (b4e2ad2)
• sap: support locking in select (#​11996) (86a9e3e)

0.3.28 (2025-12-02)

Bug Fixes

• add multiSubnetFailover option for mssql (#​10804) (83e3a8a)
• circular import in SapDriver.ts (#​11750) (bed7913)
• cli: init command reading package.json from two folders up (#​11789) (dd55218)
• deps: upgrade glob to fix CVE-2025-64756 (#​11784) (dc74f53)
• mongodb: add missing findBy method to MongoEntityManager (#​11814) (38715bb)
• redis: version detection logic (#​11815) (6f486e5)
• typesense doc sync (#​11807) (d0b5454)

Features

• add support for jsonpath column type in PostgreSQL (#​11684) (4f05718)
• cli/init: pick dependencies versions from our own package.json (#​11705) (b930909)
• entity schema support trees (#​11606) (925dee0)
• export QueryPartialEntity and QueryDeepPartialEntity types (#​11748) (ade198c)
• init version in postgres driver only if not set (#​11373) (cb1284c)
• manage MongoDB SOCKS5 proxy settings (#​11731) (d7867eb)
• mssql: support 'vector' type for MS SQL Server (#​11732) (2681051)
• mysql: add pool size options for each connection (#​11810) (67f793f)
• mysql: add support for vector columns on MariaDB and MySQL (#​11670) (cfb3d6c)

0.3.27 (2025-09-19)

Bug Fixes

• Add package.json exports for react-native (#​11623) (6965fa2)
• JSON parsing for mysql2 client library (#​8319) (#​11659) (974ead2)
• query-builder: handle empty result set when offset exceeds total (#​11634) (1f90467)
• update tests to reflect migration template changes (#​11653) (3fac86b)

Features

• add new undefined and null behavior flags (#​11332) (96ea431)
• allow VirtualColumns to be initially non-selectable (#​11586) (22b26d1)
• migration: improve JSDoc types in generated migration templates (#​11490) (fa3cd43)
• mysql: add support for MySQL 9 / MariaDB 12 (#​11575) (8b76e1a)
• postgres: support vector/halfvec data types (#​11437) (a49f612)

Performance Improvements

• Cache package.json location between getNearestPackageJson invocations (#​11580) (b6ffd46), closes #​4136

Reverts

• Revert "fix: do not create junction table metadata when it already exists (#​11114)" (#​11660) (34d8714), closes #​11114 #​11660

0.3.26 (2025-08-16)

Notes:

• When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
  in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
• When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
  is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

• add stricter type-checking and improve event loop handling (#​11540) (01dddfe)
• do not create junction table metadata when it already exists (#​11114) (3c26cf1)
• mysql: set stringifyObjects implicitly (#​11574) (d57fe3b)
• mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#​11555) (1737e97)
• oracle: pass duplicated parameters correctly to the client when executing a query (#​11537) (f2d2236)
• platform[web worker]: improve globalThis variable retrieval for browser environment (#​11495) (ec26eae)
• preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#​10679) (66ee307), closes #​10678 #​10678
• regtype is not supported in aurora serverless v2 (#​11568) (6e9f20d)
• resolve array modification bug in QueryRunner drop methods (#​11564) (f351757), closes #​11563
• support for better-sqlite3 v12 (#​11557) (1ea3a5e)

Features

• add Redis 5.x support with backward compatibility with peer dependency to allow (#​11585) (17cf837), closes #​11528
• sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#​11526) (abf8863)
• sap: use the native driver for connection pooling (#​11520) (aebc7eb)
• support virtual columns in entity schema (#​11597) (d1e3950)

Performance Improvements

• avoid unnecessary count on getManyAndCount (#​11524) (5904ac3)

0.3.25 (2025-06-19)

Bug Fixes

• add collation update detection in PostgresDriver (#​11441) (24c3e38), closes #​8647 #​8647
• fix null pointer exception on date array column comparison (#​11532) (42e7cbe)
• handle limit(0) and offset(0) correctly in SelectQueryBuilder (#​11507) (413f0a6)
• improve async calls on disconnect (#​11523) (ead4f98)
• multiple relations with same column

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.