fix(deps): update dependency typeorm to ^0.3.0 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
typeorm (source)	^0.2.18 → ^0.3.0

---

SQL injection in typeORM

CVE-2022-33171 / GHSA-fx4w-v43j-vc45

More information

Details

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-33171
• https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0
• https://seclists.org/fulldisclosure/2022/Jun/51
• http://packetstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.html
• http://seclists.org/fulldisclosure/2022/Aug/7
• https://github.com/advisories/GHSA-fx4w-v43j-vc45

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

CVE-2025-60542 / GHSA-q2pj-6v73-8rgj

More information

Details

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Severity

• CVSS Score: 8.9 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-60542
• https://github.com/typeorm/typeorm/pull/11574
• https://github.com/typeorm/typeorm/releases/tag/0.3.26
• https://github.com/typeorm/typeorm/releases?q=security&expanded=true
• https://medium.com/@​alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453
• https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef
• https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54
• https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524
• https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124
• https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts
• https://github.com/advisories/GHSA-q2pj-6v73-8rgj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

typeorm/typeorm (typeorm)

v0.3.30

Compare Source

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

The list below is the set of commits between 0.3.30 and 1.0.0 — fixes already shipped on the 0.3.x line are listed under their respective 0.3.x entries below.

• feat!: drop support for node 16 and 18 (#​11382) (349d910), closes #​11382

Bug Fixes

• cascade: propagate withDeleted to relation-id loader for many-to-many recover (#​12287) (cfba9e7)
• cascade: support cascade remove for OneToMany relations with composite PKs (#​12286) (09183c8)
• cli: preserve devDependencies needed by init command in published package (#​12281) (c3b771c)
• cockroachdb: preserve structured query results during txn retry replay (#​11861) (09db48c)
• codemod: apply find-options select/relations rewrites to .exists() too (#​12399) (4461063)
• codemod: correct relation-count guidance and flag loadRelationCountAndMap (#​12374) (5de5490)
• codemod: cover ColumnMetadata args.options in column option rewrites (#​12400) (7a68cf2)
• codemod: exclude type declarations from build (#​12292) (4c645f0)
• codemod: handle aliases, quoted keys, and ObjectProperty variants (#​12377) (2d15644)
• codemod: handle lock option objects correctly and increase test coverage (#​12353) (b871719)
• codemod: handle typeof type queries and use getStringValue consistently (#​12379) (dedea37)
• codemod: harden destructure and DI accessor rewrites for connection to dataSource rename (#​12398) (057ddbc)
• codemod: harden scope and type-name detection across more AST shapes (#​12394) (9d1fd8d)
• codemod: harden scope, idempotency, and import-strip semantics (#​12391) (ed5a19b)
• codemod: recognize typeorm deep-path imports (#​12382) (a96b097)
• codemod: rename .connection on EntityMetadata, ColumnMetadata, IndexMetadata (#​12383) (8a51e30), closes #​12249
• codemod: rewrite typeorm re-exports in barrel files (#​12373) (25f0b5f)
• codemod: scope v1 transforms to typeorm imports and skip .d.ts files (#​12372) (a34fdb2)
• codemod: track DataSource accessor chains for typed-variable renames (#​12385) (14a3132)
• copy cordova query rows affected into query result (#​10873) (ad22c10)
• disable global order for aggregate functions (#​11925) (2efb2a1)
• do not run npm install during CLI init (#​12386) (66aa930)
• docs: add lunr as explicit dependency for pnpm strict hoisting (f4d435e)
• docs: align code style (#​12081) (5f6eb4c)
• docs: complete Typesense removal missed during cherry-pick (eb7a5b6)
• docs: update docs pnpm lockfile for new dependencies (4123db9)
• eager load relation strategy (#​11326) (5797d97)
• enhance upsert functionality for proper sql generation with table alias (#​11915) (42ce630)
• expo: auto-load expo-sqlite driver via loadDependencies() (#​12363) (212c8ef)
• fix up change detection with date transformer (#​11963) (e3e3c97)
• fix up generated query with .update() (#​11993) (fe6c072)
• fix up join attributes inside bracket (#​11218) (d233daa)
• fix up map objects comparison (#​10990) (f66eee7)
• fix up save with eagerly loaded relation (#​11975) (f5cea95)
• fix working with tables with quotes in the names for postgres and cockroachdb (#​10993) (e5a8afb)
• handle re-save of postgres geometric types (#​11857) (65dea3c)
• handle relation ids in nested embedded entities (#​11942) (5237bee)
• include joined entity primary keys in pagination subquery (#​11669) (4ffe666)
• make shorten method to properly work with camelCase_aliases (#​11283) (8a9a376)
• merging into an entity now respects null values (#​11154) (1676484)
• metadata-builder: deferrable for many to many (#​11924) (910fae7)
• mongo: correctly process embedded arrays of nested documents (#​10940) (bfc293f)
• mongodb: translate ObjectIdColumn property name to _id in find queries (#​12200) (4decab5)
• mysql: getVersion returning undefined for PolarDB-X 2.0 (#​11837) (fdcbcba)
• persistence: handle non-nullable FK in orphaned row nullification (#​11982) (b9aa835)
• postgres,cockroachdb: load enum values in declaration order (#​12404) (bfa9963)
• postgres,cockroachdb: use parameterized queries in clearDatabase() (#​12185) (1abf6e7)
• postgres: execute remaining relation-load and persistence paths sequentially to avoid pg 8.19.0 deprecation (#​12421) (ed9bcb9)
• postgres: handle timestamptz persistence/hydration correctly (#​11774) (c26fc33)
• prevent eager relations from being joined twice when explicitly specified (#​11991) (1fa4129)
• properly escape column alias in orderBy (#​12027) (b975297)
• query stack trace for mysql/mssql (#​12056) (24677a1)
• query-builder: follow-up fixes for eager load relation strategy (#​12256) (0801b85)
• query-builder: resolve alias collision for self-referencing relations with query load strategy (#​11066) (bf6e1ef)
• query-builder: resolve column lookup when using database column name in addOrderBy (#​11904) (0ebc7e5)
• query-builder: validate orderBy condition values at runtime (#​12217) (93eec63)
• query-runner: parameterize queries and escape identifiers to prevent SQL injection (#​12207) (e2284d8)
• query-runner: parameterize SQL queries across all drivers (#​12197) (c7ea070)
• raw select query with correctly ordered selected columns (#​11902) (b0dd92d)
• remove error handling for *-to-many in createPropertyPath (#​11119) (9792beb)
• remove whitespaces in log query (#​12047) (417593e)
• resolve issue order subquery column (Cannot get metadata of given alias) (#​11343) (77b6ca9)
• resolve nameless TableForeignKey on drop foreign key (#​10744) (1a98424)
• schema: sort composite FK columns to match referenced PK index order (#​12280) (3e32686)
• security: validate limit() in Update/SoftDelete query builders (#​12436) (9284c16)
• soft deletion should not update the already soft deleted rows (#​10705) (60b10c8)
• sqlite: handle simple-enum arrays correctly (#​11865) (73227bc)
• switch to type imports and exports whenever possible (#​12044) (ad4e806)
• test: clean up schema-builder test entities and code smells (#​12324) (fd7d3ed)
• test: replace hardcoded IDs and names with entity references in closure-table test (#​12289) (4f18b34)
• types: add proper entity typing for queryBuilder.update (#​11296) (7084240)
• update child's mpath (#​10844) (6f3788b)
• update RelationIdLoader to use DriverUtils.getAlias (#​11228) (cd7ab97)
• upsert: handle update false or generatedType properly (#​12030) (21664d5)
• use file reference for typeorm in playground to prevent false dependabot alerts (#​12438) (7e559d7)
• use subquery with join map one methods (#​11943) (710d176)
• ValueTransformer: transform FindOperators in ApplyValueTransformers (#​11172) (54cc6c4)

Features

• add better typing for conditions in increment and decrement of EntityManager (#​11294) (2260718)
• add codemod package for automated v1 migration (#​12233) (2ee2190)
• add deferrable support to exclusion decorator to mirror unique and index decorators (#​11802) (441a000)
• add encryption key for React Native (#​11736) (c70a65b)
• add error handling and log warning for ormconfig loading failures (#​11871) (f2547e1)
• add modern migrations tooling gsoc project (#​11958) (24977e3)
• add support for installing additional postgres extensions (#​11888) (fbb625b)
• add support for table comments in SAP HANA (#​11939) (e71108f)
• aurora-postgres: transaction isolation level support (#​12334) (e899d8f)
• ci: switch to npm trusted publishing with nightly support (#​11986) (c5680ce)
• codemod: detect incompatible ecosystem packages and bump dependency versions (#​12360) (2060a5b)
• codemod: flag FileLogger usage with non-absolute logPath (#​12361) (b2759bd)
• codemod: flag removed ConnectionManager class constructions (#​12376) (43b8d0b), closes #​12373
• codemod: flag removed FindOneOptions/FindManyOptions join property (#​12375) (f4f762e)
• codemod: rename ConnectionOptionsReader.all() to get() and flag path semantics change (#​12362) (8ba2d25)
• docs: add Geist Mono as monospace font for code snippets (ecec06f)
• docs: add maintainers landing page and homepage section (d240233)
• docs: add maintainers page to main navbar (5662b27)
• docs: add Sofia Sans and Geist typography via Google Fonts (ff5cc26)
• docs: replace emoji icons with Lucide React and simplify section colors (83c3d8b)
• gsoc 2026 idea list (#​11953) (5d422ad)
• invalid-where-values-behavior: make throw the default (#​11710) (c6745f3)
• mongodb: implement object-based select projection for find methods (#​12237) (7171643)
• mysql: update query types to include named parameters (#​11798) (c7a3962)
• postgres: add support for PostgreSQL indices (#​11318) (22ed3ec)
• postgres: use ADD VALUE when changing enum values if possible (#​10956) (f1be21e)
• qodo: enable new review experience (#​11909) (c645209)
• QueryRunner: add ifExists parameter to all drop methods (#​12121) (3e47ee2)
• sap: add support for generated column in SAP HANA (#​12393) (c35378f)
• spanner: implement transaction isolation level support (#​12335) (530ee52)
• sqlite: add support for jsonb column type in SQLite (#​11933) (0b8e937)
• support INSERT INTO ... SELECT FROM ... in QueryBuilder (#​11896) (8fc0915)
• support cascade truncate in clear() method (#​11866) (ef596c3)
• support explicit resource management in QueryRunner (#​11701) (4ad74e1)
• transactions: add isolationLevel option to DataSource for all drivers (#​12269) (950ce01)

Performance Improvements

• cockroachdb: batch DROP statements in clearDatabase() (#​12159) (d494489)
• postgres: batch DROP statements in clearDatabase() (#​12164) (c4dc431)

BREAKING CHANGES

• TypeORM is now compiled for ECMAScript 2023, meaning old versions of Node.js are no longer supported. The minimum supported version of Node.js is 20.

0.3.30 (2026-05-18)

Bug Fixes

• cockroachdb: adjust join in loadTables to load correct table columns (#​12413) (d93402e)
• find-options: allow array values in JsonContains (#​12420) (90f169d)
• preserve user-defined shared join columns in change set (#​12354) (0aba011)
• scope computed-columns join to correct table in MSSQL schema query (#​12288) (6170be6)
• scope invalidWhereValuesBehavior to high-level abstractions only (#​11878) (1e10fb8)

Reverts

• fix up limit with joins (#​11987) (66f1ff8)

0.3.29 (2026-05-08)

Bug Fixes

• add async to the method using setFindOptions() (#​10787) (cc07c90)
• change import for process dependency (#​11248) (1c67c3b)
• cli: init command loading non-existing package.json (#​11947) (4d9d1a6)
• fix up aggregate methods ambiguous column (#​11822) (6e34756)
• fix up limit with joins (#​11987) (3657db8)
• getPendingMigrations unnecessarily creating migrations table (#​11672) (1dbc224)
• postgres: execute queries sequentially to avoid pg 8.19.0 deprecation warning (#​12105) (79829a0)
• prevent columns with select false from being returned (#​11944) (6b20831)
• prevent eager-loaded entities from overwriting manual relations (#​11267) (2d8c515)
• propagate schema and database to closure junction table (#​12110) (58b403f)
• redis: redis cache version detection (#​11936) (f22c7a2)
• release query runner when there is no migration to revert (#​11232) (a46eb0a)
• sap: QueryBuilder parameter of type JS Date not escaped correctly (#​11867) (5153436)
• security: validate limit() in Update/SoftDelete query builders (#​12437) (0d7991a)
• virtual property handling in schema builder (#​11000) (5bd3255)

Features

• add returning option to update/upsert operations (#​11782) (11d9767)
• sap: add pool timeout (#​11868) (b4e2ad2)
• sap: support locking in select (#​11996) (86a9e3e)

0.3.28 (2025-12-02)

Bug Fixes

• add multiSubnetFailover option for mssql (#​10804) (83e3a8a)
• circular import in SapDriver.ts (#​11750) (bed7913)
• cli: init command reading package.json from two folders up (#​11789) (dd55218)
• deps: upgrade glob to fix CVE-2025-64756 (#​11784) (dc74f53)
• mongodb: add missing findBy method to MongoEntityManager (#​11814) (38715bb)
• redis: version detection logic (#​11815) (6f486e5)
• typesense doc sync (#​11807) (d0b5454)

Features

• add support for jsonpath column type in PostgreSQL (#​11684) (4f05718)
• cli/init: pick dependencies versions from our own package.json (#​11705) (b930909)
• entity schema support trees (#​11606) (925dee0)
• export QueryPartialEntity and QueryDeepPartialEntity types (#​11748) (ade198c)
• init version in postgres driver only if not set (#​11373) (cb1284c)
• manage MongoDB SOCKS5 proxy settings (#​11731) (d7867eb)
• mssql: support 'vector' type for MS SQL Server (#​11732) (2681051)
• mysql: add pool size options for each connection (#​11810) (67f793f)
• mysql: add support for vector columns on MariaDB and MySQL (#​11670) (cfb3d6c)

0.3.27 (2025-09-19)

Bug Fixes

• Add package.json exports for react-native (#​11623) (6965fa2)
• JSON parsing for mysql2 client library (#​8319) (#​11659) (974ead2)
• query-builder: handle empty result set when offset exceeds total (#​11634) (1f90467)
• update tests to reflect migration template changes (#​11653) (3fac86b)

Features

• add new undefined and null behavior flags (#​11332) (96ea431)
• allow VirtualColumns to be initially non-selectable (#​11586) (22b26d1)
• migration: improve JSDoc types in generated migration templates (#​11490) (fa3cd43)
• mysql: add support for MySQL 9 / MariaDB 12 (#​11575) (8b76e1a)
• postgres: support vector/halfvec data types (#​11437) (a49f612)

Performance Improvements

• Cache package.json location between getNearestPackageJson invocations (#​11580) (b6ffd46), closes #​4136

Reverts

• Revert "fix: do not create junction table metadata when it already exists (#​11114)" (#​11660) (34d8714), closes #​11114 #​11660

0.3.26 (2025-08-16)

Notes:

• When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
  in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
• When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
  is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

• add stricter type-checking and improve event loop handling (#​11540) (01dddfe)
• do not create junction table metadata when it already exists (#​11114) (3c26cf1)
• mysql: set stringifyObjects implicitly (#​11574) (d57fe3b)
• mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#​11555) (1737e97)
• oracle: pass duplicated parameters correctly to the client when executing a query (#​11537) (f2d2236)
• platform[web worker]: improve globalThis variable retrieval for browser environment (#​11495) (ec26eae)
• preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#​10679) (66ee307), closes #​10678 #​10678
• regtype is not supported in aurora serverless v2 (#​11568) (6e9f20d)
• resolve array modification bug in QueryRunner drop methods (#​11564) (f351757), closes #​11563
• support for better-sqlite3 v12 (#​11557) (1ea3a5e)

Features

• add Redis 5.x support with backward compatibility with peer dependency to allow (#​11585) (17cf837), closes #​11528
• sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#​11526) (abf8863)
• sap: use the native driver for connection pooling (#​11520) (aebc7eb)
• support virtual columns in entity schema (#​11597) (d1e3950)

Performance Improvements

• avoid unnecessary count on getManyAndCount (#​11524) (5904ac3)

0.3.25 (2025-06-19)

Bug Fixes

• add collation update detection in PostgresDriver (#​11441) (24c3e38), closes #​8647 #​8647
• fix null pointer exception on date array column comparison (#​11532) (42e7cbe)
• handle limit(0) and offset(0) correctly in SelectQueryBuilder (#​11507) (413f0a6)
• improve async calls on disconnect (#​11523) (ead4f98)
• multiple relations with same column name(s) generate invalid SELECT statement (#​11400) (63a3b9a), closes #​1668 #​9788 #​9814 #​10121 #​10148 #​11109 #​11132 #​11180
• postgres: resolve alias or table name in upsert/insert or update conditionally (#​11452) (2bfa300), closes #​11082 #​11440
• tree-entity: closure junction table primary key definition should match parent table (#​11422) (ce23d46)
• docs: fix up doc search workflow (#​11513) (930eefd)

Features

• add upsert support for Oracle, SQLServer and SAP HANA (#​10974) (a9c16ee)
• spanner: use credentials from connection options (#​11492) (07d7913), closes #​11442
• docs: add typesense/docsearch-scraper (#​11424) (65d5a00)
• docs: add Plausible analytics script to Docusaurus config (#​11517) (86f12c9)

[0.3.24](https://redirect.github.com/typeorm/typeorm/compare/0.

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.