[Snyk] Upgrade typeorm from 0.2.24 to 0.3.26

[akanchhaS]

Snyk has created this PR to upgrade typeorm from 0.2.24 to 0.3.26.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 691 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-TYPEORM-590152	63	Mature
	Prototype Pollution SNYK-JS-XML2JS-5414874	63	Proof of Concept
	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	63	No Known Exploit

Release notes

Package name: typeorm

• 0.3.26 - 2025-08-18
  

  Notes:

  • When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
    in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
  • When using SAP HANA, TypeORM now uses the built-in pool from the @ sap/hana-client library. The deprecated hdb-pool
    is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

  What's Changed

  • chore: Remove manual trigger on publish workflow by @ michaelbromley in #11536
  • test(ci): force mocha to exit on stuck process by @ OSA413 in #11538
  • fix(oracle): pass duplicated parameters correctly to the client when executing a query by @ alumni in #11537
  • feat(sap): add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud by @ alumni in #11526
  • fix: add stricter type-checking and improve event loop handling by @ alumni in #11540
  • perf: avoid unnecessary count on getManyAndCount by @ EQuincerot in #11524
  • feat(sap): use the native driver for connection pooling by @ alumni in #11520
  • fix: support for better-sqlite3 v12 by @ mohd-akram in #11557
  • fix: preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) by @ kettui in #10679
  • chore: change test badge from test.yml to commit-validation.yml by @ albasyir in #11560
  • fix: do not create junction table metadata when it already exists by @ ragrag in #11114
  • fix(mysql): support AnalyticDB returning version() column name in getVersion() by @ rhydian0x in #11555
  • fix: resolve array modification bug in QueryRunner drop methods #11563 by @ taina0407 in #11564
  • fix(mysql): set stringifyObjects implicitly by @ alumni in #11574
  • docs: separate driver-specific documentation by @ alumni in #11581
  • docs: fix redirect to mongodb page by @ alumni in #11584
  • feat(11528): add Redis 5.x support with backward compatibility wite peer dependency to allow by @ par333k in #11585
  • fix: regtype is not supported in aurora serverless v2 by @ ArsenyYankovsky in #11568
  • fix(platform[web worker]): improve globalThis variable retrieval for … by @ dasoncheng in #11495
  • docs: added @ piying/orm extension to readme by @ wszgrcy in #11596
  • docs: Fix reload option typo by @ radovanovic-stevan in #11601
  • feat: add entity mode virtual-property by @ wszgrcy in #11597
  • chore: Release v0.3.26 by @ michaelbromley in #11602

  New Contributors

  • @ EQuincerot made their first contribution in #11524
  • @ kettui made their first contribution in #10679
  • @ ragrag made their first contribution in #11114
  • @ rhydian0x made their first contribution in #11555
  • @ taina0407 made their first contribution in #11564
  • @ par333k made their first contribution in #11585
  • @ dasoncheng made their first contribution in #11495
  • @ wszgrcy made their first contribution in #11596
  • @ radovanovic-stevan made their first contribution in #11601

  Full Changelog: 0.3.25...0.3.26

• 0.3.26-dev.f351757 - 2025-07-09
• 0.3.26-dev.f2d2236 - 2025-06-21
• 0.3.26-dev.ec26eae - 2025-08-14
• 0.3.26-dev.d57fe3b - 2025-07-20
• 0.3.26-dev.d1e3950 - 2025-08-16
• 0.3.26-dev.bdb8326 - 2025-06-19
• 0.3.26-dev.aebc7eb - 2025-07-01
• 0.3.26-dev.abf8863 - 2025-06-21
• 0.3.26-dev.a4c9dd8 - 2025-07-06
• 0.3.26-dev.8097d1a - 2025-07-29
• 0.3.26-dev.70057de - 2025-06-21
• 0.3.26-dev.6e9f20d - 2025-08-05
• 0.3.26-dev.66ee307 - 2025-07-04
• 0.3.26-dev.5904ac3 - 2025-06-23
• 0.3.26-dev.3c26cf1 - 2025-07-08
• 0.3.26-dev.23fcde2 - 2025-07-28
• 0.3.26-dev.1ea3a5e - 2025-07-03
• 0.3.26-dev.1bcf055 - 2025-06-19
• 0.3.26-dev.17cf837 - 2025-08-01
• 0.3.26-dev.1737e97 - 2025-07-08
• 0.3.26-dev.0b767e8 - 2025-08-16
• 0.3.26-dev.01dddfe - 2025-06-22
• 0.3.26-dev.1698313 - 2025-08-16
• 0.3.25 - 2025-06-19
  

  What's Changed

  • docs: use correct SQL statements in softDelete/restore comments by @ sgarner in #11489
  • fix: resolve alias or table name in upsert and orUpdate for PostgreSQL driver conditionally by @ mmarifat in #11452
  • feat(spanner): use credentials from connection options by @ denes in #11492
  • feat: add upsert support for Oracle, SQLServer and SAP HANA by @ Yuuki-Sakura in #10974
  • fix: handle limit(0) and offset(0) correctly in SelectQueryBuilder by @ yeonghun104 in #11507
  • fix: add collation update detection in PostgresDriver by @ asn6878 in #11441
  • feat: add typesense/docsearch-scraper by @ gioboa in #11424
  • chore: improve linting by @ alumni in #11510
  • chore: improve linting (fixup) by @ alumni in #11511
  • docs: new website initial commit by @ naorpeled in #11408
  • fix: fix up doc search workflow by @ gioboa in #11513
  • chore: update workflows to ignore changes in docs directory by @ dlhck in #11518
  • feat(docs): add Plausible analytics script to Docusaurus config by @ dlhck in #11517
  • docs: add note about using YugabyteDB by @ mguida22 in #11521
  • chore(docs): improve website generation config by @ alumni in #11527
  • fix(tree-entity): closure junction table primary key definition should match parent table by @ gongAll in #11422
  • docs: add heading to Getting Started page by @ sgarner in #11531
  • fix: Multiple relations with same columns cause invalid SQL to be generated by @ yevhen-komarov in #11400
  • fix: fix null pointer exception on date array column comparison by @ mnbaccari in #11532
  • chore(ci): simplify workflows by @ alumni in #11530
  • fix: improve async calls on disconnect by @ alumni in #11523

  New Contributors

  • @ mmarifat made their first contribution in #11452
  • @ yeonghun104 made their first contribution in #11507
  • @ asn6878 made their first contribution in #11441
  • @ gongAll made their first contribution in #11422

  Full Changelog: 0.3.24...0.3.25

• 0.3.25-dev.eb3093d - 2025-06-05
• 0.3.25-dev.ead4f98 - 2025-06-18
• 0.3.25-dev.ce23d46 - 2025-06-16
• 0.3.25-dev.b1e93f7 - 2025-06-18
• 0.3.25-dev.af9ecc0 - 2025-06-17
• 0.3.25-dev.a9c16ee - 2025-06-05
• 0.3.25-dev.930eefd - 2025-06-06
• 0.3.25-dev.86f12c9 - 2025-06-10
• 0.3.25-dev.65d5a00 - 2025-06-05
• 0.3.25-dev.63a3b9a - 2025-06-17
• 0.3.25-dev.61753b1 - 2025-06-05
• 0.3.25-dev.5003aaa - 2025-05-21
• 0.3.25-dev.4b0ffee - 2025-06-06
• 0.3.25-dev.42e7cbe - 2025-06-17
• 0.3.25-dev.42913b9 - 2025-06-11
• 0.3.25-dev.413f0a6 - 2025-06-05
• 0.3.25-dev.2bfa300 - 2025-06-04
• 0.3.25-dev.24c3e38 - 2025-06-05
• 0.3.25-dev.12a71e4 - 2025-05-14
• 0.3.25-dev.07d7913 - 2025-06-04
• 0.3.25-dev.03faa78 - 2025-06-14
• 0.3.24 - 2025-05-14
  

  What's Changed

  • feat: add tagged template for executing raw SQL queries by @ Newbie012 in #11432
  • chore: Add husky and lint-staged by @ maxbronnikov10 in #11448
  • fix: resolve pkg.pr.new issue by @ naorpeled in #11463
  • perf: improve save performance during entities update by @ lotczyk in #11456
  • refactor: remove unused NamingStrategyNotFoundError by @ mguida22 in #11462
  • chore: add note about breaking change in 0.3.23 by @ mguida22 in #11469
  • build: include db version in coveralls flag-name by @ mguida22 in #11461
  • chore: include warning about update({}) in changelog by @ sgarner in #11471
  • feat: add updateAll and deleteAll methods to EntityManager and Repository APIs by @ sgarner in #11459
  • Fix/11466 mssql find operator by @ christian-forgacs in #11468
  • feat(spanner): support insert returning by @ denes in #11460
  • chore: clarify commit practices by @ mguida22 in #11472
  • fix(mssql): avoid mutating input parameter array values by @ sgarner in #11476
  • fix: capacitor driver PRAGMA bug by @ AlexAzartsev in #11467
  • chore: version 0.3.24 by @ mguida22 in #11478

  New Contributors

  • @ denes made their first contribution in #11460
  • @ AlexAzartsev made their first contribution in #11467

  Full Changelog: 0.3.23...0.3.24

• 0.3.24-dev.e9eaf79 - 2025-05-13
• 0.3.24-dev.d325d9e - 2025-05-14
• 0.3.24-dev.c464ff8 - 2025-05-09
• 0.3.24-dev.b8dbca5 - 2025-05-14
• 0.3.24-dev.a6b61f7 - 2025-05-13
• 0.3.24-dev.a213bbd - 2025-05-09
• 0.3.24-dev.9f889b3 - 2025-05-13
• 0.3.24-dev.80e9b30 - 2025-05-07
• 0.3.24-dev.6d1c4f0 - 2025-05-12
• 0.3.24-dev.39a6562 - 2025-05-12
• 0.3.24-dev.15de733 - 2025-05-11
• 0.3.24-dev.144634d - 2025-05-13
• 0.3.24-dev.1198dc2 - 2025-05-12
• 0.3.24-dev.2168441 - 2025-05-11
• 0.3.23 - 2025-05-07
  

  ⚠️ Note on a breaking change

  This release includes a technically breaking change (from this PR) in the behaviour of the delete and update methods of the EntityManager and Repository APIs, when an empty object is supplied as the criteria:

  await repository.delete({})
  await repository.update({}, { foo: 'bar' })

  • Old behaviour was to delete or update all rows in the table
  • New behaviour is to throw an error: Empty criteria(s) are not allowed for the delete/update method.

  Why?

  This behaviour was not documented and is considered dangerous as it can allow a badly-formed object (e.g. with an undefined id) to inadvertently delete or update the whole table.

  When the intention actually was to delete or update all rows, such queries can be rewritten using the QueryBuilder API:

  await repository.createQueryBuilder().delete().execute()
  // executes: DELETE FROM table_name
  await repository.createQueryBuilder().update().set({ foo: 'bar' }).execute()
  // executes: UPDATE table_name SET foo = 'bar'

  An alternative method for deleting all rows is to use:

  await repository.clear()
  // executes: TRUNCATE TABLE table_name

  What's Changed

  • chore: Fix publish command by @ michaelbromley in #11379
  • build(deps): bump tar-fs from 2.1.1 to 2.1.2 by @ dependabot in #11370
  • feat: add new foreign key decorator, and entity schemas options by @ yevhen-komarov in #11144
  • chore: fix changelog generation by @ alumni in #11381
  • feat: Build ESM migrations for JS by @ w3nl in #10802

[akanchhaS]

⛔ Snyk checks have failed. 1 issues have been found so far.

Icon	Severity	Issues
	Critical	0
	High	0
	Medium	1
	Low	0

✅ security/snyk check is complete. No issues have been found. (View Details)

⛔ license/snyk check is complete. 1 issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.