[Snyk] Upgrade typeorm from 0.2.24 to 0.3.20

[esecdj]

Snyk has created this PR to upgrade typeorm from 0.2.24 to 0.3.20.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 526 versions ahead of your current version.

• The recommended version was released on 8 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-TYPEORM-590152	801	Mature
	Prototype Pollution SNYK-JS-XML2JS-5414874	801	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	801	No Known Exploit
	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	801	No Known Exploit

Release notes

Package name: typeorm

• 0.3.20 - 2024-01-26
  

  Bug Fixes

  • added missing parentheses in where conditions (#10650) (4624930), closes #10534
  • don't escape indexPredicate (#10618) (dd49a25)
  • fallback runMigrations transaction to DataSourceOptions (#10601) (0cab0dd)
  • hangup when load relations with relationLoadStrategy: query (#10630) (54d8d9e), closes #10481
  • include asExpression columns in returning clause (#10632) (f232ba7), closes #8450 #8450
  • multiple insert in SAP Hana (#10597) (1b34c9a)
  • resolve issue CREATE/DROP Index concurrently (#10634) (8aa8690), closes #10626
  • type inferencing of EntityManager#create (#10569) (99d8249)

  Features

  • add json type support for Oracle (#10611) (7e85460)
  • add postgres multirange column types (#10627) (d0b7670), closes #10556
  • add table comment for postgres (#10613) (4493db4)

  Reverts

  • Revert "fix: prevent using absolute table path in migrations unless required (#10123)" (#10624) (8f371f2), closes #10123 #10624
  • revert "feat: nullable embedded entities (#10289)" (#10614) (15de46f), closes #10289 #10614
• 0.3.20-dev.fa86f6f - 2024-01-03
• 0.3.20-dev.f232ba7 - 2024-01-26
• 0.3.20-dev.dd8c0fd - 2024-01-26
• 0.3.20-dev.d0b7670 - 2024-01-26
• 0.3.20-dev.c22e30f - 2024-01-04
• 0.3.20-dev.8f371f2 - 2024-01-26
• 0.3.20-dev.8ebe769 - 2024-01-26
• 0.3.20-dev.73e3b49 - 2024-01-03
• 0.3.20-dev.62f574b - 2024-01-26
• 0.3.20-dev.54d8d9e - 2024-01-26
• 0.3.20-dev.1b34c9a - 2024-01-26
• 0.3.20-dev.15de46f - 2024-01-08
• 0.3.20-dev.0cab0dd - 2024-01-26
• 0.3.20-dev.4624930 - 2024-01-26
• 0.3.19 - 2024-01-03
  

  Bug Fixes

  • fixed Cannot read properties of undefined (reading 'sync') caused after glob package upgrade
• 0.3.19-dev.633c4e3 - 2024-01-03
• 0.3.18 - 2024-01-03
  

  Bug Fixes

  • add BaseEntity to model-shim (#10503) (3cf938e)
  • add error handling for missing join columns (#10525) (122c897), closes #7034
  • add missing export for View class (#10261) (7adbc9b)
  • added fail callback while opening the database in Cordova (#10566) (8b4df5b)
  • aggregate function throw error when column alias name is set (#10035) (022d2b5), closes #9927
  • backport postgres connection error handling to crdb (#10177) (149226d)
  • bump better-sqlite3 version range (#10452) (75ec8f2)
  • caching always enabled not caching queries (#10524) (8af533f)
  • circular dependency breaking node.js 20.6 (#10344) (ba7ad3c), closes #10338
  • correctly keep query.data from ormOption for commit / rollback subscribers (#10151) (73ee70b)
  • default value in child table/entity column decorator for multiple table inheritance is ignored for inherited columns (#10563) (#10564) (af77a5d)
  • deletedAt column leaking as side effect of object update while creating a row (#10435) (7de4890)
  • empty objects being hydrated when eager loading relations that have a @ VirtualColumn (#10432) (b53e410), closes #10431
  • extend GiST index with range types for Postgres driver (#10572) (a4900ae), closes #10567
  • ignore changes for columns with update: false in persistence (#10250) (f8fa1fd), closes #10249
  • improve helper for cli for commands missing positionals (#10133) (9f8899f)
  • loading datasource unable to process a regular default export (#10184) (201342d), closes #8810
  • logMigration has incorrect logging condition (#10323) (d41930f), closes #10322 #10322
  • ManyToMany ER_DUP_ENTRY error (#10343) (e296063), closes #5704
  • migrations on indexed TIMESTAMP WITH TIME ZONE Oracle columns (#10506) (cf37f13), closes #10493
  • mongodb - undefined is not constructor (#10559) (ad5bf11)
  • mongodb resolves leaked cursor (#10316) (2dc9624), closes #10315
  • mssql datasource testonborrow not affecting anything (#10589) (122b683)
  • nested transactions issues (#10210) (25e6ecd)
  • prevent using absolute table path in migrations unless required (#10123) (dd59524)
  • remove date-fns in favor of DayJs (#10306) (cf7147f)
  • remove dynamic require calls (#10196) (a939654)
  • resolve circular dependency when using Vite (#10273) (080528b)
  • resolve issue building eager relation alias for nested relations (#10004) (c6f608d), closes #9944
  • resolve issue of generating migration for numeric arrays repeatedly (#10471) (39fdcf6), closes #10043
  • resolve issue queryBuilder makes different parameter identifiers for same parameter (#10327) (6c918ea), closes #7308
  • resolve issues on upsert (#10588) (dc1bfed), closes #10587
  • scrub all comment end markers from comments (#10163) (d937f61)
  • serialize bigint when building a query id #10336 (#10337) (bfc1cc5)
  • should automatically cache if alwaysEnable (#10137) (173910e), closes #9910
  • SQLite simple-enum column parsing (#10550) (696e688)
  • update UpdateDateColumn on upsert (#10458) (fdb9866), closes #9015
  • upgrade ts-node version to latest(10.9.1) version (#10143) (fcb9904)
  • using async datasource to configure typeorm (#10170) (fbd45db)

  Features

  • ability to change default replication mode (#10419) (72b1d1b)
  • add concurrent indexes for postgres (#10442) (f4e6eaf)
  • add exists and exists by (#10291) (b6b46fb)
  • add isolated where statements (#10213) (3cda7ec)
  • add MSSQL disableAsciiToUnicodeParamConversion option and tests (#10161) (df7c069), closes #10131
  • add support for mssql server DefaultAzureCredential usage (#10246) (c8ee5b1)
  • add support for table comment in MySQL (#10017) (338df16)
  • allow to use custom type witch extends object type for find where argument (#10475) (48f5f85)
  • BeforeQuery and AfterQuery events (#10234) (5c28154), closes #3302
  • custom STI discriminator value for EntitySchema (#10508) (b240d87), closes #10494
  • enabled CTE for oracle driver (#10319) (65858f3)
  • entityId in InsertEvent (#10540) (ae006af)
  • expose countDocuments in mongodb (#10314) (ebd61d1)
  • exposed entity and criteria properties on EntityNotFoundError (#10202) (bafcd17)
  • implement column comments for SAP HANA (#10502) (45e31cc)
  • implement OR operator (#10086) (a00b1df), closes #10054 #10054 #10054 #10054 #10054 #10054 #10054
  • implement streaming for SAP HANA (#10512) (7e9cead)
  • implements QueryFailedError generic for driverError typing (#10253) (78b2f48)
  • modify repository.extend method for chaining repositories (#10256) (ca29c0f)
  • nullable embedded entities (#10289) (e67d704)
  • support for MongoDB 6.x (#10545) (3647b26)
  • support mssql@10 (#10356) (f6bb671), closes #10340
  • use node-oracledb 6 (#10285) (3af891a), closes #10277
  • user-defined index name for STI discriminator column (#10509) (89c5257), closes #10496

  Performance Improvements

  • improve SapQueryRunner performance (#10198) (f6b87e3)

  BREAKING CHANGES

  • With node-oracledb the thin client is used as default. Added a option to use the thick client. Also added the option to specify the instant client lib
  • MongoDB: from the previous behavior of returning a result with metadata describing when a document is not found.
    See: https://github.com/mongodb/node-mongodb-native/blob/HEAD/etc/notes/CHANGES_6.0.0.md
  • new nullable embeds feature introduced a breaking change which might enforce you to update types on your entities to | null,
    if all columns in your embed entity are nullable. Since database queries now return embedded property as null if all its column values are null.
• 0.3.18-dev.ff6e875 - 2023-07-22
• 0.3.18-dev.fdb9866 - 2023-12-29
• 0.3.18-dev.fbd45db - 2023-08-19
• 0.3.18-dev.f6bb671 - 2023-12-29
• 0.3.18-dev.f6b87e3 - 2023-12-29
• 0.3.18-dev.ebd61d1 - 2023-09-30
• 0.3.18-dev.e72a9da - 2023-08-19
• 0.3.18-dev.e67d704 - 2024-01-02
• 0.3.18-dev.dff2d53 - 2023-07-22
• 0.3.18-dev.dd59524 - 2024-01-02
• 0.3.18-dev.d184d85 - 2023-10-05
• 0.3.18-dev.c8ee5b1 - 2023-08-19
• 0.3.18-dev.c6f608d - 2023-08-19
• 0.3.18-dev.befe4f9 - 2023-09-02
• 0.3.18-dev.b8af97a - 2023-09-30
• 0.3.18-dev.b6b46fb - 2023-12-29
• 0.3.18-dev.b5ec088 - 2024-01-03
• 0.3.18-dev.b240d87 - 2023-12-29
• 0.3.18-dev.ad5bf11 - 2023-12-29
• 0.3.18-dev.aa8d24c - 2023-12-29
• 0.3.18-dev.a939654 - 2023-12-29
• 0.3.18-dev.a909d5b - 2023-07-12
• 0.3.18-dev.a4900ae - 2023-12-29
• 0.3.18-dev.a00b1df - 2024-01-02
• 0.3.18-dev.9471bfc - 2023-09-22
• 0.3.18-dev.8d0e7f9 - 2023-09-30
• 0.3.18-dev.7e9cead - 2023-12-29
• 0.3.18-dev.7adbc9b - 2023-08-19
• 0.3.18-dev.7a58bbf - 2023-12-29
• 0.3.18-dev.6d5b5d9 - 2023-12-29
• 0.3.18-dev.65858f3 - 2023-12-29
• 0.3.18-dev.48f5f85 - 2023-12-29
• 0.3.18-dev.3cf938e - 2023-12-29
• 0.3.18-dev.3cda7ec - 2024-01-02
• 0.3.18-dev.2dc9624 - 2023-12-29
• 0.3.18-dev.173910e - 2024-01-02
• 0.3.18-dev.15bc887 - 2024-01-03
• 0.3.18-dev.122c897 - 2023-12-29
• 0.3.18-dev.0f11739 - 2024-01-02
• 0.3.18-dev.022d2b5 - 2023-08-19
• 0.3.17 - 2023-06-20
  

  Bug Fixes

  • #10040 TypeORM synchronize database even if it is up to date (#10041) (b1a3a39)
  • add missing await (#10084) (f5d4397)
• 0.3.17-dev.f5d4397 - 2023-06-19
• 0.3.17-dev.d4607a8 - 2023-05-10
• 0.3.17-dev.b1a3a39 - 2023-06-20
• 0.3.17-dev.abb9079 - 2023-05-09
• 0.3.17-dev.7108cc6 - 2023-06-20
• 0.3.16 - 2023-05-09
  

  0.3.16 (2023-05-09)

  Bug Fixes

  • add trustServerCertificate option to SqlServerConnectionOptions (#9985) (0305805), closes #8093
  • add directConnection options to MongoDB connection (#9955) (e0165e7)
  • add onDelete option validation for oracle (#9786) (938f94b), closes #9189
  • added instanceName to options (#9968) (7c5627f)
  • added transaction retry logic in cockroachdb (#10032) (607d6f9)
  • allow json as alias for longtext mariadb (#10018) (2a2bb4b)
  • convert the join table ID to the referenceColumn ID type (#9887) (9460296)
  • correct encode mongodb auth credentials (#10024) (96b7ee4), closes #9885
  • create correct children during cascade saving entities with STI (#9034) (06c1e98), closes #7758 #7758 #9033 #9033 #7758 #7758
  • express option bug in init command (#10022) (5be20e2)
  • for running cli-ts-node-esm use exit code from child process (#10030) (a188b1d), closes #10029
  • mongodb typings breaks the browser version (#9962) (99bef49), closes #9959
  • RelationIdLoader has access to queryPlanner when wrapped in transaction (#9990) (21a9d67), closes #9988
  • resolve duplicate subscriber updated columns (#9958) (3d67901), closes #9948
  • select + addOrderBy broke in 0.3.14 (#9961) (0e56f0f), closes #9960
  • support More/LessThanOrEqual in relations (#9978) (8795c86)

  Features

  • mariadb uuid inet4 inet6 column data type support (#9845) (d8a2e37)

  Reverts

  • "refactor: remove date-fns package (#9634)" (54f4f89)
• 0.3.16-dev.f5b93c1 - 2023-04-18
• 0.3.16-dev.e0165e7 - 2023-04-17
• 0.3.16-dev.d8a2e37 - 2023-04-25
• 0.3.16-dev.b064049 - 2023-04-18
• 0.3.16-dev.a188b1d - 2023-05-09
• 0.3.16-dev.96b7ee4 - 2023-05-09
• 0.3.16-dev.8795c86 - 2023-05-09
• 0.3.16-dev.68aa573 - 2023-04-15
• 0.3.16-dev.54f4f89 - 2023-05-09
• 0.3.16-dev.3d67901 - 2023-04-18
• 0.3.16-dev.2a2bb4b - 2023-05-09
• 0.3.16-dev.21a9d67 - 2023-05-09
• 0.3.16-dev.06c1e98 - 2023-05-09
• 0.3.16-dev.9460296 - 2023-05-09
• 0.3.15 - 2023-04-15
  

  Bug Fixes

  • make cache optional fields optional (#9942) (159c60a)
  • prevent unique index identical to primary key (all sql dialects) (#9940) (51eecc2)
  • SelectQueryBuilder builds incorrectly escaped alias in Oracle when used on entity with composite key (#9668) (83c6c0e)

  Features

  • support for the latest mongodb v5 (#9925) (f6a3ce7), closes #7907 #7907
• 0.3.15-dev.f6a3ce7 - 2023-04-15
• 0.3.15-dev.f1c5662 - 2023-04-15
• 0.3.15-dev.3a72e35 - 2023-04-13
• 0.3.15-dev.115059d - 2023-04-10
• 0.3.14 - 2023-04-09
  

  Bug Fixes

  • drop xml & yml connection option support. Addresses security issues in underlying dependency (#9930) (7dac12c)

  Features

  • QueryBuilder performance optimizations (#9914) (12e9db0)
• 0.3.14-dev.daf1b47 - 2023-04-06
• 0.3.14-dev.0194f17 - 2023-04-06
• 0.3.13 - 2023-04-06
  

  Bug Fixes

  • firstCapital=true not working in camelCase() function (f1330ad)
  • handles "query" relation loading strategy for TreeRepositories (#9680) (a11809e), closes #9673
  • improve EntityNotFound error message in QueryBuilder.findOneOrFail (#9872) (f7f6817)
  • loading tables with fk in sqlite query runner (#9875) (4997da0), closes #9266
  • prevent foreign key support during migration batch under sqlite (#9775) (197cc05), closes #9770
  • proper default value on generating migration when default value is a function calling [Postgres] (#9830) (bebba05)
  • react-native doesn't properly work in ESM projects because of circular dependency (#9765) (099fcd9)
  • resolve issues for mssql migration when simple-enum was changed (cb154d4), closes #7785 #9457 #7785 #9457
  • resolves issue with mssql column recreation (#9773) (07221a3), closes #9399
  • transform values for FindOperators #9381 (#9777) (de1228d), closes #9816
  • use forward slashes when normalizing path (#9768) (58fc088), closes #9766
  • use object create if entity skip constructor is set (#9831) (a868979)

  Features

  • add support for json datatype for sqlite (#9744) (4ac8c00)
  • add support for STI on EntitySchema (#9834) (bc306fb), closes #9833
  • allow type FindOptionsOrderValue for order by object property (#9895) (#9896) (0814970)
  • Broadcast identifier for removed related entities (#9913) (f530811)
  • leftJoinAndMapOne and innerJoinAndMapOne map result to entity (#9354) (947ffc3)
• 0.3.13-dev.f7f6817 - 2023-04-06
• 0.3.13-dev.f7b210b - 2023-04-05
• 0.3.13-dev.f1330ad - 2023-04-06
• 0.3.13-dev.de1228d - 2023-04-06
• 0.3.13-dev.af4f15c - 2023-04-06
• 0.3.13-dev.a868979 - 2023-04-06
• 0.3.13-dev.a11809e - 2023-04-06
• 0.3.13-dev.98f2205 - 2023-04-05
• 0.3.13-dev.97280fc - 2023-04-06
• 0.3.13-dev.58fc088 - 2023-02-09
• 0.3.13-dev.4fa14e3 - 2023-04-05
• 0.3.13-dev.4ac8c00 - 2023-04-06
• 0.3.13-dev.1fcd9f3 - 2023-04-05
• 0.3.13-dev.099fcd9 - 2023-02-08
• 0.3.13-dev.07221a3 - 2023-04-05
• 0.3.13-dev.0619aca - 2023-04-06
• 0.3.12 - 2023-02-07
  

  Bug Fixes

  • allow to pass ObjectLiteral in mongo find where condition (#9632) (4eda5df), closes #9518
  • DataSource.setOptions doesn't properly update the database in the drivers (#9635) (a95bed7)
  • Fix grammar error in no migrations found log (#9754) (6fb2121)
  • improved FindOptionsWhere behavior with union types (#9607) (7726f5a)
  • Incorrect enum default value when table name contains dash character (#9685) (b3b0c11)
  • incorrect sorting of entities with multi-inheritances (

[esecdj]

Checkmarx One – Scan Summary & Details – 9e58d467-496e-46cd-b41f-06dbccd15b8d

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-45296	Npm-path-to-regexp-0.1.3	Vulnerable Package
	CVE-2024-45590	Npm-body-parser-1.9.0	Vulnerable Package

Fixed Issues

Severity	Issue	Source File / Package
	CVE-2020-26237	Npm-highlight.js-9.18.1
	CVE-2020-8158	Npm-typeorm-0.2.24
	Cx1f5f7dfa-e547	Npm-highlight.js-9.18.1