chore(deps): update dependency typeorm to v0.3.26 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
typeorm (source)	0.3.17 → 0.3.26

---

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

CVE-2025-60542 / GHSA-q2pj-6v73-8rgj

More information

Details

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Severity

• CVSS Score: 8.9 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-60542
• https://github.com/typeorm/typeorm/pull/11574
• https://github.com/typeorm/typeorm/releases/tag/0.3.26
• https://github.com/typeorm/typeorm/releases?q=security&expanded=true
• https://medium.com/@​alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453
• https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef
• https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54
• https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524
• https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124
• https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts
• https://github.com/advisories/GHSA-q2pj-6v73-8rgj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

typeorm/typeorm (typeorm)

v0.3.26

Compare Source

Notes:

• When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
  in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
• When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
  is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

• add stricter type-checking and improve event loop handling (#​11540) (01dddfe)
• do not create junction table metadata when it already exists (#​11114) (3c26cf1)
• mysql: set stringifyObjects implicitly (#​11574) (d57fe3b)
• mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#​11555) (1737e97)
• oracle: pass duplicated parameters correctly to the client when executing a query (#​11537) (f2d2236)
• platform[web worker]: improve globalThis variable retrieval for browser environment (#​11495) (ec26eae)
• preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#​10679) (66ee307), closes #​10678 #​10678
• regtype is not supported in aurora serverless v2 (#​11568) (6e9f20d)
• resolve array modification bug in QueryRunner drop methods (#​11564) (f351757), closes #​11563
• support for better-sqlite3 v12 (#​11557) (1ea3a5e)

Features

• add Redis 5.x support with backward compatibility with peer dependency to allow (#​11585) (17cf837), closes #​11528
• sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#​11526) (abf8863)
• sap: use the native driver for connection pooling (#​11520) (aebc7eb)
• support virtual columns in entity schema (#​11597) (d1e3950)

Performance Improvements

• avoid unnecessary count on getManyAndCount (#​11524) (5904ac3)

v0.3.25

Compare Source

Bug Fixes

• add collation update detection in PostgresDriver (#​11441) (24c3e38), closes #​8647 #​8647
• fix null pointer exception on date array column comparison (#​11532) (42e7cbe)
• handle limit(0) and offset(0) correctly in SelectQueryBuilder (#​11507) (413f0a6)
• improve async calls on disconnect (#​11523) (ead4f98)
• multiple relations with same column name(s) generate invalid SELECT statement (#​11400) (63a3b9a), closes #​1668 #​9788 #​9814 #​10121 #​10148 #​11109 #​11132 #​11180
• postgres: resolve alias or table name in upsert/insert or update conditionally (#​11452) (2bfa300), closes #​11082 #​11440
• tree-entity: closure junction table primary key definition should match parent table (#​11422) (ce23d46)
• docs: fix up doc search workflow (#​11513) (930eefd)

Features

• add upsert support for Oracle, SQLServer and SAP HANA (#​10974) (a9c16ee)
• spanner: use credentials from connection options (#​11492) (07d7913), closes #​11442
• docs: add typesense/docsearch-scraper (#​11424) (65d5a00)
• docs: add Plausible analytics script to Docusaurus config (#​11517) (86f12c9)

v0.3.24

Compare Source

Bug Fixes

• capacitor use query to run PRAGMA statements (#​11467) (d325d9e)
• ci: resolve pkg.pr.new publish failure (2168441)
• mssql: avoid mutating input parameter array values (#​11476) (b8dbca5)

Features

• add tagged template for executing raw SQL queries (#​11432) (c464ff8)
• add updateAll and deleteAll methods to EntityManager and Repository APIs (#​11459) (23bb1ee)
• spanner: support insert returning (#​11460) (144634d), closes #​11453

Performance Improvements

• improve save performance during entities update (15de733)

v0.3.23

Compare Source

⚠️ Note on a breaking change

This release includes a technically breaking change (from this PR) in the behaviour of the delete and update methods of the EntityManager and Repository APIs, when an empty object is supplied as the criteria:

await repository.delete({})
await repository.update({}, { foo: 'bar' })

• Old behaviour was to delete or update all rows in the table
• New behaviour is to throw an error: Empty criteria(s) are not allowed for the delete/update method.

Why?

This behaviour was not documented and is considered dangerous as it can allow a badly-formed object (e.g. with an undefined id) to inadvertently delete or update the whole table.

When the intention actually was to delete or update all rows, such queries can be rewritten using the QueryBuilder API:

await repository.createQueryBuilder().delete().execute()
// executes: DELETE FROM table_name
await repository.createQueryBuilder().update().set({ foo: 'bar' }).execute()
// executes: UPDATE table_name SET foo = 'bar'

An alternative method for deleting all rows is to use:

await repository.clear()
// executes: TRUNCATE TABLE table_name

Bug Fixes

• beforeQuery promises not awaited before query execution (#​11086) (b9842e3), closes #​11085 #​11085
• change how array columns are compared on column changed detection (#​11269) (a61654e), closes #​5967
• cleanup after streaming in sap hana (#​11399) (fadad1a)
• mongo: propagate aggregate method's generic type to its returned cursor (#​10754) (56f1898)
• prevent error when replication is undefined (#​11423) (61a6f97)
• update/delete/softDelete by criteria of condition objects (#​10910)

Features

• add FormattedConsoleLogger (#​11401) (4c8fc3a), closes #​10801
• add new foreign key decorator, and entity schemas options (#​11144) (6ebae3b), closes #​4569
• Add query timeout support for MySql (#​10846) (046aebe)
• generate ESM migrations via esm flag (#​10802) (7c5ea99), closes #​10801
• publish PR releases using pkg.pr.new (274bdf2)

Performance Improvements

• query-runner: use Date.now() instead of +new Date() (#​10811) (fe71a0c)

v0.3.22

Compare Source

Bug Fixes

• bulk insert NULL values in Oracle (#​11363) (bcaa0bf)
• ensure correct MSSQL parameter conversion in where conditions (ecae9f5), closes #​11285
• export QueryEvent before/after types (#​10688) (03dbc7a)
• FindOptionsSelect to use correct type when property is an object (#​11355) (834e856)
• incorrect table alias in insert orUpdate with Postgres driver (#​11082) (72c6991), closes #​11077
• inverse relation metadata not cyclic (50a660a)
• remove unnecessary import from JS migration (#​11327) (72145b8)
• remove unnecessary spaces in message when running non-fake migrations (#​10809) (c3bebdc)
• sap: incorrect handling of simple array/json data type (#​11322) (27b4207)
• sap: normalize deprecated/removed data types in SAP HANA Cloud (#​11356) (460ef02)
• sap: pass the configured schema to the db client (#​11321) (04ca83a)
• sql escape issues identified by CodeQL (#​11338) (863caf1)
• update mongodb connection options (#​11310) (81bb9d5)
• version detection for Postgres derived variants (#​11375) (3d79786)

Features

• postgres: support macaddr8 column type (b0ea913)
• Send DriverInfo to MongoDB client (#​11214) (a29e047)
• Support Expo SQLite Next (7b242e1)

Reverts

• Revert "fix: nested transactions issues (#​10210)" (7aa4f3c), closes #​10210

v0.3.21

Compare Source

Bug Fixes

• Add support for better-sqlite3 v10 and 11 (#​11096) (6c0c2ba)
• composite key save issue (#​10672) (83567f5)
• moved reflect-metadata to peerDependencies and set version to "^0.1.14 || ^0.2.0" (#​10779) (e7649d2)
• npm-readme: resolve missing image file (#​11290) (c554f58)
• npm-readme: resolve missing image file pt. 2 (#​11291) (981cf82)
• Update mssql allowed version to fix vulnerability. (#​10933) (3a51160)
• Fix maximum call stack error (#​10733) (7a384be0)
• use sql-highlight instead of cli-highlight (#​11221) (1516cfe)

Performance Improvements

• improve results transformer performance (#​10349) (7bea198)

v0.3.20

Compare Source

Bug Fixes

• added missing parentheses in where conditions (#​10650) (4624930), closes #​10534
• don't escape indexPredicate (#​10618) (dd49a25)
• fallback runMigrations transaction to DataSourceOptions (#​10601) (0cab0dd)
• hangup when load relations with relationLoadStrategy: query (#​10630) (54d8d9e), closes #​10481
• include asExpression columns in returning clause (#​10632) (f232ba7), closes #​8450 #​8450
• multiple insert in SAP Hana (#​10597) (1b34c9a)
• resolve issue CREATE/DROP Index concurrently (#​10634) (8aa8690), closes #​10626
• type inferencing of EntityManager#create (#​10569) (99d8249)

Features

• add json type support for Oracle (#​10611) (7e85460)
• add postgres multirange column types (#​10627) (d0b7670), closes #​10556
• add table comment for postgres (#​10613) (4493db4)

Reverts

• Revert "fix: prevent using absolute table path in migrations unless required (#​10123)" (#​10624) (8f371f2), closes #​10123 #​10624
• revert "feat: nullable embedded entities (#​10289)" (#​10614) (15de46f), closes #​10289 #​10614

v0.3.19

Compare Source

Bug Fixes

• fixed Cannot read properties of undefined (reading 'sync') caused after glob package upgrade

v0.3.18

Compare Source

Bug Fixes

• add BaseEntity to model-shim (#​10503) (3cf938e)
• add error handling for missing join columns (#​10525) (122c897), closes #​7034
• add missing export for View class (#​10261) (7adbc9b)
• added fail callback while opening the database in Cordova (#​10566) (8b4df5b)
• aggregate function throw error when column alias name is set (#​10035) (022d2b5), closes #​9927
• backport postgres connection error handling to crdb (#​10177) (149226d)
• bump better-sqlite3 version range (#​10452) (75ec8f2)
• caching always enabled not caching queries (#​10524) (8af533f)
• circular dependency breaking node.js 20.6 (#​10344) (ba7ad3c), closes #​10338
• correctly keep query.data from ormOption for commit / rollback subscribers (#​10151) (73ee70b)
• default value in child table/entity column decorator for multiple table inheritance is ignored for inherited columns (#​10563) (#​10564) (af77a5d)
• deletedAt column leaking as side effect of object update while creating a row (#​10435) (7de4890)
• empty objects being hydrated when eager loading relations that have a @VirtualColumn (#​10432) (b53e410), closes #​10431
• extend GiST index with range types for Postgres driver (#​10572) (a4900ae), closes #​10567
• ignore changes for columns with update: false in persistence (#​10250) (f8fa1fd), closes #​10249
• improve helper for cli for commands missing positionals (#​10133) (9f8899f)
• loading datasource unable to process a regular default export (#​10184) (201342d), closes #​8810
• logMigration has incorrect logging condition (#​10323) (d41930f), closes #​10322 #​10322
• ManyToMany ER_DUP_ENTRY error (#​10343) (e296063), closes #​5704
• migrations on indexed TIMESTAMP WITH TIME ZONE Oracle columns (#​10506) (cf37f13), closes #​10493
• mongodb - undefined is not constructor (#​10559) (ad5bf11)
• mongodb resolves leaked cursor (#​10316) (2dc9624), closes #​10315
• mssql datasource testonborrow not affecting anything (#​10589) (122b683)
• nested transactions issues (#​10210) (25e6ecd)
• prevent using absolute table path in migrations unless required (#​10123) (dd59524)
• remove date-fns in favor of DayJs (#​10306) (cf7147f)
• remove dynamic require calls (#​10196) (a939654)
• resolve circular dependency when using Vite (#​10273) (080528b)
• resolve issue building eager relation alias for nested relations (#​10004) (c6f608d), closes #​9944
• resolve issue of generating migration for numeric arrays repeatedly (#​10471) (39fdcf6), closes #​10043
• resolve issue queryBuilder makes different parameter identifiers for same parameter (#​10327) (6c918ea), closes #​7308
• resolve issues on upsert (#​10588) (dc1bfed), closes #​10587
• scrub all comment end markers from comments (#​10163) (d937f61)
• serialize bigint when building a query id #​10336 (#​10337) (bfc1cc5)
• should automatically cache if alwaysEnable (#​10137) (173910e), closes #​9910
• SQLite simple-enum column parsing (#​10550) (696e688)
• update UpdateDateColumn on upsert (#​10458) (fdb9866), closes #​9015
• upgrade ts-node version to latest(10.9.1) version (#​10143) (fcb9904)
• using async datasource to configure typeorm (#​10170) (fbd45db)

Features

• ability to change default replication mode (#​10419) (72b1d1b)
• add concurrent indexes for postgres (#​10442) (f4e6eaf)
• add exists and exists by (#​10291) (b6b46fb)
• add isolated where statements (#​10213) (3cda7ec)
• add MSSQL disableAsciiToUnicodeParamConversion option and tests (#​10161) (df7c069), closes #​10131
• add support for mssql server DefaultAzureCredential usage (#​10246) (c8ee5b1)
• add support for table comment in MySQL (#​10017) (338df16)
• allow to use custom type witch extends object type for find where argument (#​10475) (48f5f85)
• BeforeQuery and AfterQuery events (#​10234) (5c28154), closes #​3302
• custom STI discriminator value for EntitySchema (#​10508) (b240d87), closes #​10494
• enabled CTE for oracle driver (#​10319) (65858f3)
• entityId in InsertEvent (#​10540) (ae006af)
• expose countDocuments in mongodb (#​10314) (ebd61d1)
• exposed entity and criteria properties on EntityNotFoundError (#​10202) (bafcd17)
• implement column comments for SAP HANA (#​10502) (45e31cc)
• implement OR operator (#​10086) (a00b1df), closes #​10054 #​10054 #​10054 #​10054 #​10054 #​10054 #​10054
• implement streaming for SAP HANA (#​10512) (7e9cead)
• implements QueryFailedError generic for driverError typing (#​10253) (78b2f48)
• modify repository.extend method for chaining repositories (#​10256) (ca29c0f)
• nullable embedded entities (#​10289) (e67d704)
• support for MongoDB 6.x (#​10545) (3647b26)
• support mssql@​10 (#​10356) (f6bb671), closes #​10340
• use node-oracledb 6 (#​10285) (3af891a), closes #​10277
• user-defined index name for STI discriminator column (#​10509) (89c5257), closes #​10496

Performance Improvements

• improve SapQueryRunner performance (#​10198) (f6b87e3)

BREAKING CHANGES

• With node-oracledb the thin client is used as default. Added a option to use the thick client. Also added the option to specify the instant client lib
• MongoDB: from the previous behavior of returning a result with metadata describing when a document is not found.
  See: https://github.com/mongodb/node-mongodb-native/blob/HEAD/etc/notes/CHANGES_6.0.0.md
• new nullable embeds feature introduced a breaking change which might enforce you to update types on your entities to | null,
  if all columns in your embed entity are nullable. Since database queries now return embedded property as null if all its column values are null.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.