Skip to content

Bump @adonisjs/lucid from 6.1.3 to 21.8.2 in /api #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump @adonisjs/lucid from 6.1.3 to 21.8.2 in /api #7

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jan 13, 2026

Bumps @adonisjs/lucid from 6.1.3 to 21.8.2.

Release notes

Sourced from @​adonisjs/lucid's releases.

Prevent mass assignment vulnerability

Security update for CVE-2026-22814.

This release fixes a mass assignment vulnerability in Lucid that could allow user input to override internal ORM state properties.

The issue was caused by relying on hasOwnProperty checks during model assignments, which unintentionally allowed setting internal properties like $attributes, $original, or $isPersisted when passing untrusted input to methods such as fill, merge, or create.

Applications that already properly validate and whitelist input data before passing it to Lucid models are not affected.

Support VineJS v4

21.8.1 (2025-10-31)

Bug Fixes

What's Changed

Full Changelog: adonisjs/lucid@v21.8.0...v21.8.1

Use natural sort when executing seeders and display migration filename during error in compact mode

21.8.0 (2025-07-22)

Bug Fixes

Features

  • show file name in which the migration failed when using the --compact-output flag (#1108) (4e7589f)

What's Changed

New Contributors

Full Changelog: adonisjs/lucid@v21.7.0...v21.8.0

Extend sideload data, perform model.save without triggering hooks and bug fixes

21.7.0 (2025-06-26)

Bug Fixes

... (truncated)

Commits
  • ac24b2a chore(release): 21.8.2
  • 6e8a217 chore: update node version to 24 for release workflow
  • fff9b46 fix(orm): guard internal state in $consumeAdapterResult
  • 93c26b1 style: format with latest prettier release
  • 3416518 chore: update dependencies
  • b007b12 fix(orm): guard internal state in merge
  • 64e325d chore(release): 21.8.1
  • 66a88f3 chore: add support for vinejs 4
  • 9de4c6d chore: update dependencies
  • a4e44c9 fix: nullable relation types (#1130)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​adonisjs/lucid since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump @adonisjs/lucid from 6.1.3 to 21.8.2 in /api
301396c 
Bumps [@adonisjs/lucid](https://github.com/adonisjs/lucid) from 6.1.3 to 21.8.2.
- [Release notes](https://github.com/adonisjs/lucid/releases)
- [Commits](adonisjs/lucid@v6.1.3...v21.8.2)

---
updated-dependencies:
- dependency-name: "@adonisjs/lucid"
  dependency-version: 21.8.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 13, 2026
@vercel
Copy link

vercel bot commented Jan 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
openletter Ready Ready Preview, Comment Jan 13, 2026 8:39pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant