chore(deps): update dependency typeorm to v0.3.29 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
typeorm (source)	0.3.28 → 0.3.29

---

TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB)

GHSA-9ggv-8w38-r7pm

More information

Details

Impact

Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder affecting MySQL and MariaDB users.

UpdateQueryBuilder and SoftDeleteQueryBuilder (including their addOrderBy variants) do not validate the order parameter against an allowlist of permitted values (ASC/DESC). The caller-supplied value is stored verbatim and concatenated directly into the generated SQL string without quoting or parameterization. SelectQueryBuilder.orderBy performs this validation correctly; the affected builders do not.

If any code path passes user-controlled input to orderBy/addOrderBy on an update or soft-delete query, an attacker can inject arbitrary SQL via the sort direction — even when the column name itself is hardcoded.

Demonstrated impact includes:

• Data exfiltration via time-based blind extraction (e.g. using SLEEP() to infer secret values bit by bit)
• Row targeting manipulation in queries using LIMIT patterns
• Denial of service via SLEEP()-based query exhaustion

CVSS 3.1: 8.6 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected files (relative to commit 73fda419):

• src/query-builder/UpdateQueryBuilder.ts: lines 383–419 and 718–744
• src/query-builder/SoftDeleteQueryBuilder.ts: lines 352–388 and 520–546

The vulnerability was introduced in commit 03799bd2 (v0.1.12) and is present through the latest release (v0.3.28).

Patches

A fix has been released in 0.3.29 (1b66c44) and 1.0.0 (93eec63).

Workarounds

Applications can manually validate the order argument before passing it to orderBy or addOrderBy on update or soft-delete query builders:

const direction = userInput.toUpperCase();
if (direction !== 'ASC' && direction !== 'DESC') {
  throw new Error('Invalid sort direction');
}
qb.orderBy(column, direction as 'ASC' | 'DESC');

Do not pass user-controlled values to orderBy/addOrderBy on UpdateQueryBuilder or SoftDeleteQueryBuilder without this validation.

References

• Introduced in commit 03799bd2 (v0.1.12)
• Confirmed present in v0.3.28 (commit 73fda419)
• See SelectQueryBuilder.orderBy for the correct validation pattern this fix should mirror

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/typeorm/typeorm/security/advisories/GHSA-9ggv-8w38-r7pm
• https://github.com/typeorm/typeorm/commit/1b66c44d0410bdc56a0dcefb46be41867ec0fffc
• https://github.com/typeorm/typeorm/commit/93eec630630b219b162ba4e0c072afa851697cff
• https://github.com/advisories/GHSA-9ggv-8w38-r7pm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

typeorm/typeorm (typeorm)

v0.3.29

Compare Source

What's Changed

• fix: fix up aggregate methods ambiguous column by @​Cprakhar in #​11822
• fix: prevent eager-loaded entities from overwriting manual relations by @​LeviHeber in #​11267
• fix: release query runner when there is no migration to revert by @​mjr128 in #​11232
• fix: add async to the method using setFindOptions() by @​bindon in #​10787
• chore: disable eslint errors for chai assertions by @​alumni in #​11833
• ci(tests): Remove limitation of branches to run on by @​OSA413 in #​11794
• ci: upgrade actions to v6 by @​pkuczynski in #​11844
• docs(v0.3): add version dropdown (stable/dev) by @​naorpeled in #​11863
• fix(sap): QueryBuilder parameter of type JS Date not escaped correctly by @​alumni in #​11867
• feat(sap): add pool timeout by @​alumni in #​11868
• feat(qodo): enable new review experience in v0.3 by @​naorpeled in #​11910
• feat: add returning option to update/upsert operations by @​naorpeled in #​11782
• test: enable repository-returning test by @​gioboa in #​11913
• chore(qodo): disable in progress notification in v0.3 by @​naorpeled in #​11928
• ci(docs): add deploy Github Action to v0.3 branch by @​naorpeled in #​11929
• chore(qodo): disable persistent comments and inline code suggestions in v0.3 by @​naorpeled in #​11989
• chore(deps): update all dependencies to the latest minor version by @​alumni in #​12015
• fix(redis): redis cache version detection by @​mguida22 in #​11936
• ci: remove summary comments location policy by @​naorpeled in #​12117
• ci(qodo): remove /improve from pr and push commands by @​naorpeled in #​12129
• ci: migrate from npm to pnpm by @​pkuczynski in #​12193
• ci(qodo): sync qodo pr agent config from master by @​naorpeled in #​12265
• ci: remove docs indexing by @​alumni in #​12435
• fix(security): validate limit() in Update/SoftDelete query builders by @​smith-xyz in #​12437
• chore(deps): update all minor by @​alumni in #​12443
• chore(release): release 0.3.29 by @​michaelbromley in #​12442

New Contributors

• @​LeviHeber made their first contribution in #​11267
• @​mjr128 made their first contribution in #​11232
• @​bindon made their first contribution in #​10787

Full Changelog: typeorm/typeorm@0.3.28...0.3.29

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.