fix(deps): update dependency typeorm to ^0.3.0 [security] #33
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.2.45
->^0.3.0
GitHub Vulnerability Alerts
CVE-2022-33171
The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.
Release Notes
typeorm/typeorm (typeorm)
v0.3.0
Compare Source
Changes in the version includes changes from the
next
branch andtypeorm@next
version.They were pending their migration from 2018. Finally, they are in the master branch and master version.
Features
compilation
target
now ises2020
. This requires Node.JS version14+
TypeORM now properly works when installed within different node_modules contexts
(often happen if TypeORM is a dependency of another library or TypeORM is heavily used in monorepo projects)
Connection
was renamed toDataSource
.Old
Connection
is still there, but now it's deprecated. It will be completely removed in next version.New API:
Previously, you could use
new Connection()
,createConnection()
,getConnectionManager().create()
, etc.They all deprecated in favour of new syntax you can see above.
New way gives you more flexibility and simplicity in usage.
Old ways of custom repository creation were dropped.
added new option on relation load strategy called
relationLoadStrategy
.Relation load strategy is used on entity load and determines how relations must be loaded when you query entities and their relations from the database.
Used on
find*
methods andQueryBuilder
. Value can be set tojoin
orquery
.join
- loads relations using SQLJOIN
expressionquery
- executes separate SQL queries for each relationDefault is
join
, but default can be set inConnectionOptions
:Also, it can be set per-query in
find*
methods:And QueryBuilder:
For queries returning big amount of data, we recommend to use
query
strategy,because it can be a more performant approach to query relations.
findOneBy
,findOneByOrFail
,findBy
,countBy
,findAndCountBy
methods toBaseEntity
,EntityManager
andRepository
:Overall
find*
andcount*
method signatures where changed, read the "breaking changes" section for more info.select
type signature inFindOptions
(used infind*
methods):Also, now it's possible to specify select columns of the loaded relations:
relations
type signature inFindOptions
(used infind*
methods):To load nested relations use a following signature:
order
type signature inFindOptions
(used infind*
methods):Now supports nested order by-s:
where
type signature inFindOptions
(used infind*
methods) now allows to build nested statements with conditional relations, for example:Gives you users who have photos in their "profile" album.
FindOperator
-s can be applied for relations inwhere
statement, for example:Gives you users with more than 10 photos.
boolean
can be applied for relations inwhere
statement, for example:BREAKING CHANGES
minimal Node.JS version requirement now is
14+
drop
ormconfig
support.ormconfig
still works if you use deprecated methods,however we do not recommend using it anymore, because it's support will be completely dropped in
0.4.0
.If you want to have your connection options defined in a separate file, you can still do it like this:
Or even more type-safe approach with
resolveJsonModule
intsconfig.json
enabled:But we do not recommend use this practice, because from
0.4.0
you'll only be able to specify entities / subscribers / migrations using direct references to entity classes / schemas (see "deprecations" section).We won't be supporting all
ormconfig
extensions (e.g.json
,js
,ts
,yaml
,xml
,env
).support for previously deprecated
migrations:*
commands was removed. Usemigration:*
commands instead.all commands were re-worked. Please refer to new CLI documentation.
cli
option fromBaseConnectionOptions
(nowBaseDataSourceOptions
options) was removed (since CLI commands were re-worked).now migrations are running before schema synchronization if you have both pending migrations and schema synchronization pending
(it works if you have both
migrationsRun
andsynchronize
enabled in connection options).aurora-data-api
driver now is calledaurora-mysql
aurora-data-api-pg
driver now is calledaurora-postgres
EntityManager.connection
is nowEntityManager.dataSource
Repository
now has a constructor (breaks classes extending Repository with custom constructor)@TransactionRepository
,@TransactionManager
,@Transaction
decorators were completely removed. These decorators do the things out of the TypeORM scope.Only junction table names shortened.
MOTIVATION: We must shorten only table names generated by TypeORM.
It's user responsibility to name tables short if their RDBMS limit table name length
since it won't make sense to have table names as random hashes.
It's really better if user specify custom table name into
@Entity
decorator.Also, for junction table it's possible to set a custom name using
@JoinTable
decorator.findOne()
signature without parameters was dropped.If you need a single row from the db you can use a following syntax:
This change was made to prevent user confusion.
See this issue for details.
findOne(id)
signature was dropped. Use following syntax instead:This change was made to provide a more type-safe approach for data querying.
Due to this change you might need to refactor the way you load entities using MongoDB driver.
findOne
,findOneOrFail
,find
,count
,findAndCount
methods now only acceptFindOptions
as parameter, e.g.:To supply
where
conditions directly withoutFindOptions
new methods were added:findOneBy
,findOneByOrFail
,findBy
,countBy
,findAndCountBy
. Example:This change was required to simply current
find*
andcount*
methods typings,improve type safety and prevent user confusion.
findByIds
was deprecated, usefindBy
method instead in conjunction withIn
operator, for example:This change was made to provide a more type-safe approach for data querying.
findOne
andQueryBuilder.getOne()
now returnnull
instead ofundefined
in the case if it didn't find anything in the database.Logically it makes more sense to return
null
.findOne
now limits returning rows to 1 at database level.NOTE:
FOR UPDATE
locking does not work withfindOne
in Oracle sinceFOR UPDATE
cannot be used withFETCH NEXT
in a single query.where
inFindOptions
(e.g.find({ where: { ... })
) is more sensitive to input criteria now.FindConditions
(where
inFindOptions
) was renamed toFindOptionsWhere
.null
as value inwhere
used infind*
methods is not supported anymore.Now you must explicitly use
IsNull()
operator.Before:
After:
This change was made to make it more transparent on how to add "IS NULL" statement to final SQL,
because before it bring too much confusion for ORM users.
then you won't be able to use it in
find*
'swhere
. Example:Before for the
@Column(/*...*/) membership: MembershipKind
you could have a query like:now, you need to wrap this value into
Equal
operator:This change is due to type-safety improvement new
where
signature brings.order
inFindOptions
(used infind*
methods) doesn't support ordering by relations anymore.Define relation columns, and order by them instead.
where
inFindOptions
(used infind*
methods) previously supportedObjectLiteral
andstring
types.Now both signatures were removed. ObjectLiteral was removed because it seriously breaks the type safety,
and
string
doesn't make sense in the context ofFindOptions
. UseQueryBuilder
instead.MongoRepository
andMongoEntityManager
now use new types calledMongoFindManyOptions
andMongoFindOneOptions
for their
find*
methods.primary relation
(e.g.@ManyToOne(() => User, { primary: true }) user: User
) support is removed.You still have an ability to use foreign keys as your primary keys,
however now you must explicitly define a column marked as primary.
Example, before:
Now:
Primary column name must match the relation name + join column name on related entity.
If related entity has multiple primary keys, and you want to point to multiple primary keys,
you can define multiple primary columns the same way:
This change was required to simplify ORM internals and introduce new features.
prefix relation id columns contained in embedded entities (#7432)
find by Date object in sqlite driver (#7538)
issue with non-reliable
new Date(ISOString)
parsing (#7796)DEPRECATIONS
all CLI commands do not support
ormconfig
anymore. You must specify a file with data source instance instead.entities
,migrations
,subscribers
options insideDataSourceOptions
acceptingstring
directories support is deprecated.You'll be only able to pass entity references in the future versions.
all container-related features (
UseContainerOptions
,ContainedType
,ContainerInterface
,defaultContainer
,useContainer
,getFromContainer
) are deprecated.EntityManager's
getCustomRepository
used within transactions is deprecated. UsewithRepository
method instead.Connection.isConnected
is deprecated. Use.isInitialized
instead.select
inFindOptions
(used infind*
methods) used as an array of property names is deprecated.Now you should use a new object-literal notation. Example:
Deprecated way of loading entity relations:
New way of loading entity relations:
This change is due to type-safety improvement new
select
signature brings.relations
inFindOptions
(used infind*
methods) used as an array of relation names is deprecated.Now you should use a new object-literal notation. Example:
Deprecated way of loading entity relations:
New way of loading entity relations:
This change is due to type-safety improvement new
relations
signature brings.join
inFindOptions
(used infind*
methods) is deprecated. UseQueryBuilder
to build queries containing manual joins.Connection
,ConnectionOptions
are deprecated, new names to use are:DataSource
andDataSourceOptions
.To create the same connection you had before use a new syntax:
new DataSource({ /*...*/ })
.createConnection()
,createConnections()
are deprecated, sinceConnection
is calledDataSource
now, to create a connection and connect to the databasesimply do:
getConnection()
is deprecated. To have a globally accessible connection, simply export your data source and use it in places you need it:getManager()
,getMongoManager()
,getSqljsManager()
,getRepository()
,getTreeRepository()
,getMongoRepository()
,createQueryBuilder()
are all deprecated now. Use globally accessible data source instead:
getConnectionManager()
andConnectionManager
itself are deprecated - nowConnection
is calledDataSource
,and each data source can be defined in exported variable. If you want to have a collection
of data sources, just define them in a variable, simply as:
getConnectionOptions()
is deprecated - in next version we are going to implement different mechanism of connection options loadingAbstractRepository
is deprecated. Use new way of custom repositories creation.Connection.name
andBaseConnectionOptions.name
are deprecated. Connections don't need names anymore since we are going to drop all related methods relying on this property.all deprecated signatures will be removed in
0.4.0
EXPERIMENTAL FEATURES NOT PORTED FROM NEXT BRANCH
observers
- we will consider returning them back with new API in future versionsalternative find operators
- using$any
,$in
,$like
and other operators inwhere
condition.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.