fix(deps): update dependency knex to v0.19.5 [security]#75

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-knex-vulnerability

renovate bot commented Nov 11, 2019 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
knex (source)	`0.14.2` → `0.19.5`

GitHub Vulnerability Alerts

CVE-2019-10757

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

CVE-2016-20018

Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query. This vulnerability has been fixed in version 2.4.0.

Release Notes

knex/knex (knex)

`v0.19.5`

New features:

CLI: Migrations up/down commands - filename parameter #3416
Oracle: Support stored procedures #3449

Bug fixes:

MSSQL: Escape column ids correctly in all cases (reported by Snyk Security Research Team) #3382
SQLite: Fix handling of multiline SQL in SQLite3 schema #3411
Fix concurrent child transactions failing #2213 #3440

Typings:

Add missing Migrator.list typing #3460
Fix Typescript type inference for to better support wildcard (*) calls #3444
Make options argument optional in timeout #3442

Test / internal changes:

Enable linting in CI #3450

`v0.19.4`

New features:

Add undefined columns to undefined binding(s) error #3425

Typings:

Add specific to SeederConfig type #3429
Fix some issues with QueryBuilder types #3427

`v0.19.3`

Bug fixes:

Fix migrations for native enums to use table schema #3307

New features:

Add ability to manually define schema for native enums #3307
Add SSL/TLS support for Postgres connection string #3410
CLI: new command that lists all migrations with status #3390

Typings:

Include schemaName in EnumOptions #3415
Allow ColumnBuilder.defaultTo() to be null #3407

Changes:

migrate: Refactor _lockMigrations to avoid forUpdate - makes migrations compatible with CockroachDB #3395

`v0.19.2`

Changes:

Make transaction rejection consistent across dialects #3399
More consistent handling of nested transactions #3393

New features:

Fallback to JSON when using JSONB in MySQL #3394

`v0.19.1`

New features:

Allow to extend knex query builder #3334
Add .isCompleted() to transaction #3368
Minor enhancements around aliasing of aggregates #3354

Typings:

Update configuration typings to allow for oracle db connectionstring #3361
Update Knex.raw type to be any by default because the actual type is dialect specific #3349

`v0.19.0`

Changes:

Pooling: tarn.js connection pool was updated to version 2.0.0. This fixes issue with destroying connections and introduces support for connection pool event handlers. Please see tarn.js documentation for more details #3345
Pooling: Passing unsupported pooling configuration options now throws an error
Pooling: beforeDestroy configuration option was removed

`v0.18.4`

New features:

Seeds: Option to run specific seed file #3335
Implement "skipLocked()" and "noWait()" #2961

Bug fixes:

CLI: Respect the knexfile stub option while generating a migration #3337
Fix mssql import not being ignored, breaking webpack builds #3336

`v0.18.3`

New features:

CLI: add --stub option to migration:make #3316

Bug fixes:

Fix return duplicate transaction promise for standalone transactions #3328

`v0.18.2`

Bug fixes:

Fix remove duplicate transaction rejection #3324
Fix issues around specifying default values for columns #3318
CLI: Fix empty --version output #3312

`v0.18.1`

Bug fixes:

Do not reject duplicate promise on transaction rollback #3319

`v0.18.0`

Bug fixes:

Do not reject promise on transaction rollback (by default only for new, non-callback, style of transactions for now to avoid breaking old code) #3235

New features:

Added doNotRejectOnRollback options for starting transactions, to prevent rejecting promises on rollback for callback-style transactions.
Use extension from knexfile for generating migrations unless overriden #3282
Use migrations.extension from config when generating migration #3242
Expose executionPromise for transactors #3297

Bug fixes:

Oracle: Updated handling of connection errors for disposal #2608
Fix extension resolution from env configs #3294

Test / internal changes:

Drop support for Node.js 6 #3227
Remove Babel #3227
Remove Bluebird #3290 #3287 #3285 #3267 #3266 #3263
Fix comments that were modified by find & replace #3308

Typings:

Add workarounds for degraded inference when strictNullChecks is set to false #3275
Add stub type definition for Migrator config #3279
Add stub to seeds type #3296
Fix MSSQL config typings #3269
Add pgsql specific table builder method typings #3146

`v0.17.6`

`v0.17.5`

Typings:

Include result.d.ts in published package #3271

`v0.17.4`

Typings:

Fix some cases of left-to-right inference causing type mismatch #3265
Improve count typings #3249

Bug fixes:

Fix error message bubbling up on seed error #3248

`v0.17.3`

Typings:

Improve typings for aggregations #3245
Add decimalNumbers to MySqlConnectionConfig interface #3244

`v0.17.2`

Typings

Improve count typings #3239

Bug fixes:

"colorette" dependency breaks browserify builds #3238

`v0.17.1`

New features:

Add migrate:down functionality #3228

Typings:

Update type of aggregation results to not be arrays when first has been invoked before #3237
Include undefined in type of single row results #3231
Fix incorrect type definitions for single row queries #3230

`v0.17.0`

New features:

Add support for returning started transaction without immediately executing it #3099
Add support for passing transaction around with only starting it when needed #3099
Add clearHaving function #3141
Add --all flag for rollback in CLI #3187
Add error detail log to knex CLI #3149
Support multi-column whereIn in sqlite through values clause #3220
Allow users to specify the migrations "tableName" parameter via the CLI #3214
Unify object options handling for datetime/timestamp across dialects #3181
Add "up" command for migrations #3205

Typings:

Add default values for generic types (fixes backwards compatibility broken by 0.16.6) #3189
Make function types generic in type definitions #3168
Add missing types to MigratorConfig #3174
Add types for havingBetween, orHavingBetween, havingNotBetween and orHavingNotBetween #3144
Update Knex.Config types to include log #3221
Fix some more cases of missing typings #3223
Support type safe refs #3215
Expose some utility types #3211
Fix issues with typings of joins and some conflicts with Bluebird typings #3209

Bug fixes:

Fix order of migration rollback #3172

Test / internal changes:

Execute CI tests on Node.js 12 #3171
Docker-based test dbs #3157
Use cli-testlab for testing CLI #3191

`v0.16.5`

Bundle polyfills with knex for 0.16.x line again #3139

`v0.16.4`

New features:

Boolean param for rollback() to rollback all migrations #2968
seed:run print the file name of the failing seed #2972 #2973
verbose option to CLI commands #2887
add intersect() #3023
Improved format for TS stubs #3080
MySQL: Support nullable timestamps #3100
MySQL: Warn .returning() does not have any effect #3039

Bug fixes:

Respect "loadExtensions" configuration #2969
Fix event listener duplication when using Migrator #2982
Fix fs-migrations breaking docs #3022
Fix sqlite3 drop/renameColumn() breaks with postProcessResponse #3040
Fix transaction support for migrations #3084
Fix queryContext not being passed to raw queries #3111
Typings: Allow to pass query builders, identifiers and raw in various places as parameters #2960
Typings: toNative() definition #2996
Typings: asCallback() definition #2963
Typings: queryContext() type definition Knex.Raw #3002
Typings: Add "constraintName" arg to primary() definition #3006
Typings: Add missing schemaName in MigratorConfig #3016
Typings: Add missing supported parameter types and toSQL method #2960
Typings: Update enum arguments to reflect latest signature #3043
Typings: Add size parameter to integer method #3074
Typings: Add 'string' as accepted Knex constructor type definition #3105
Typings: Add boolean as a column name in join #3121
Typings: Add missing clearOrder & clearCounters types #3109
Dependencies: Fix security warning #3082
Do not use unsupported column width/length arguments on data types int and tinyint in MSSQL #2738

Changes:

Make unionAll()'s call signature match union() #3055

Test / internal changes:

Swap chalk→colorette / minimist→getopts #2718
Always use well documented pg client query() config argument #3004
Do not bundle polyfills with knex #3024

`v0.16.3`

Bug fixes:

@babel/polyfill loaded multiple times #2955
Resolve migrations and seeds relatively to knexfile directory when specified (the way it used to be before 0.16.1) #2952

`v0.16.2`

Bug fixes:

Add TypeScript types to the "files" entry so they are properly included in the release #2943

`v0.16.1`

Breaking Changes:

Use datetime2 for MSSQL datetime + timestamp types. This change is incompatible with MSSQL older than 2008 #2757
Knex.VERSION() method was removed, run "require('knex/package').version" instead #2776
Knex transpilation now targets Node.js 6, meaning it will no longer run on older Node.js versions #2813
Add json type support for SQLite 3.9+ (tested to work with Node package 'sqlite3' 4.0.2+) #2814

New features:

Support passing explicit connection to query builder (#2817)
Introduced abstraction for getting migrations to make migration bundling easier #2775
Allow timestamp with timezone on mssql databases #2724
Allow specifying multiple migration directories #2735
Allow cloning query builder with .userParams({}) assigned to it #2802
Allow chaining of increment, decrement, and update #2740
Allow table names with forUpdate/forShare #2834
Added whereColumn and the associated not / and / or methods for using columns on the right side of a where clause #2837
Added whereRecursive method to make self-referential CTEs possible #2889
Added support for named unique, primary and foreign keys to SQLite3 #2840
Added support for generating new migration and seed files without knexfile #2884 #2905 #2935
Added support for multiple columns in .orderBy() #2881
Added option of existingType to .enum() method to support repeated use of enums #2719
Added option to pass indexType for MySQL dialect #2890
Added onVal and the associated not / and / or methods for using values in on clauses within joins #2746
Kill queries after timeout for PostgreSQL #2636
Manage TypeScript types internally #2845
Support 5.0.0+ versions of mssql driver #2861
Typescript migration stub #2816
Options object for passing timestamp parameters + regression tests #2919

Bug fixes:

Implement fail-fast logic for dialect resolution #2776
Fixed identifier wrapping for using(). Use columnize instead of wrap in using() #2713
Fix issues with warnPromise when migration does not return a promise #2730
Compile with before update so that bindings are put in correct order #2733
Fix join using builder withSchema #2744
Throw instead of process.exit when client module missing #2843
Display correct filename of a migration that failed #2910
Fixed support of knexSnakeCaseWrappers in migrations #2914
SQlite3 renameColunm quote fix #2833
Adjust typing for forUpdate()/forShare() variant with table names #2858
Fix execution of Oracle tests on Node 11 #2920
Fix failures in oracle test bench and added it back to mandatory CI tests #2924
Knex client knexfile resolution fix #2923
Add queryContext to type declarations #2931

Test / internal changes:

Add tests for multiple union arguments with callbacks and builders #2749
Update dependencies #2772 #2810 #2842 #2848 #2893 #2904
Separate migration generator #2786
Do not postprocess internal queries in Migrator #2914 #2934
Use Babel 7 #2813
Introduce LGTM.com badge #2755
Cleanup based on analysis by https://lgtm.com #2870
Add test for retrieving null dates #2865
Add link to wiki #2866
Add tests for specifying explicit pg version #2895
Execute tests on Node.js 11 #2873
Version upgrade guide #2894

`v0.15.2`

Changes:

Rolled back changes introduced by #2542, in favor of opt-in behavior by adding a precision option in date / timestamp / datetime / knex.fn.now (#2715, #2721)

`v0.15.1`

Bug fixes:

Fix warning erroneously displayed for mysql #2705

`v0.15.0`

Breaking Changes:

Stop executing tests on Node 4 and 5. #2451 (not supported anymore)
json data type is no longer converted to text within a schema builder migration for MySQL databases (note that JSON data type is only supported for MySQL 5.7.8+) #2635
Removed WebSQL dialect #2461
Drop mariadb support #2681
Primary Key for Migration Lock Table #2569. This shouldn't affect to old loc tables, but if you like to have your locktable to have primary key, delete the old table and it will be recreated when migrations are ran next time.
Ensure knex.destroy() returns a bluebird promise #2589
Increment floats #2614
Testing removal of 'skim' #2520, Now rows are not converted to plain js objects, returned row objects might have changed type with oracle, mssql, mysql and sqlite3
Drop support for strong-oracle #2487
Timeout errors doesn't silently ignore the passed errors anymore #2626
Removed WebSQL dialect #2647
Various fixes to mssql dialect to make it compatible with other dialects #2653, Unique constraint now allow multiple null values, float type is now float instead of decimal, rolling back transaction with undefined rejects with Error, select for update and select for share actually locks selected row, so basically old schema migrations will work a lot different and produce different schema like before. Also now MSSQL is included in CI tests.

Bug fixes:

Fixes onIn with empty values array #2513
fix wrapIdentifier not being called in postgres alter column #2612
fixes wrapIdentifier to work with postgres returning statement 2630 #2642
Fix mssql driver crashing in certain cases when conneciton is closed unexpectedly #2637
Removed semicolon from rollback stmt for oracle #2564
Make the stream catch errors in the query #2638

New Features:

Create timestamp columns with microsecond precision on MySQL 5.6 and newer #2542
Allow storing stacktrace, where builder is initialized to be able trace back where certain query was created #2500 #2505
Added 'ref' function #2509, no need for knex.raw('??', ['id']) anymore, one can do knex.ref('id')
Support postgresql connection uri protocol #2609
Add support for native enums on Postgres #2632
Allow overwriting log functions #2625

Test / internal changes:

chore: cache node_modules #2595
Remove babel-plugin-lodash #2634
Remove readable-stream and safe-buffer #2640
chore: add Node.js 10 #2594
add homepage field to package.json #2650

`v0.14.6`

Bug fixes:

Restored functionality of query event #2566 (#2549)

`v0.14.5`

Bug fixes:

Fix wrapping returning column on oracledb #2554

New Features:

Support passing DB schema name for migrations #2499 #2559
add clearOrder method #2360 #2553
Added knexTxId to query events and debug calls #2476
Support multi-column whereIn with query #1390
Added error if chaining update/insert/etc with first() #2506
Checks for an empty, undefined or null object on transacting #2494
countDistinct with multiple columns #2449

Test / internal changes:

Added npm run test:oracledb command that runs oracledb tests in docker #2491
Runnin mssql tests in docker #2496
Update dependencies #2561

`v0.14.4`

Bug fixes:

containsUndefined only validate plain objects. Fixes #1898 (#2468)
Add warning when using .returning() in sqlite3. Fixes #1660 (#2471)
Throw an error if .update() results in an empty sql (#2472)
Removed unnecessary createTableIfNotExist and replaced with createTable (#2473)

New Features:

Allow calling lock procedures (such as forUpdate) outside of transaction. Fixes #2403. (#2475)
Added test and documentation for Event 'start' (#2488)

Test / internal changes:

Added stress test, which uses TCP proxy to simulate flaky connection #2460
Removed old docker tests, new stress test setup (#2474)
Removed unused property __cid on the base client (#2481)
Changed rm to rimraf in 'npm run dev' (#2483)
Changed babel preset and use latest node as target when running dev (#2484)

`v0.14.3`

Bug fixes:

Use tarn as pool instead of generic-pool which has been given various problems #2450
Fixed mysql issue where add columns failed if using both after and collate #2432
CLI sets exit-code 1 if the command supplied was not parseable #2358
Set toNative() to be not enumerable #2388
Use wrapIdentifier in columnInfo. fixes #2402 #2405
Fixed a bug when using .returning (OUTPUT) in an update query with joins in MSSQL #2399
Better error message when running migrations fail before even starting run migrations #2373
Read oracle's UV_THREADPOOL_SIZE env variable correctly #2372
Added decimal variable precision / scale support #2353

New Features:

Added queryContext to schema and query builders #2314
Added redshift dialect #2233
Added warning when one uses .createTableIfNotExist and deprecated it from docs #2458

Test / internal changes:

Update dependencies and fix ESLint warnings accordingly #2433
Disable oracledb tests from non LTS nodes #2407
Update dependencies #2422

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov bot commented Nov 11, 2019 •

edited

Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@b89bb6b). Click here to learn what that means.
The diff coverage is n/a.

❗ Current head 65b3d44 differs from pull request most recent head 0a452c5. Consider uploading reports for the commit 0a452c5 to get more accurate results

Additional details and impacted files

@@            Coverage Diff            @@
##             master      #75   +/-   ##
=========================================
  Coverage          ?   19.25%           
=========================================
  Files             ?       16           
  Lines             ?      187           
  Branches          ?       31           
=========================================
  Hits              ?       36           
  Misses            ?      121           
  Partials          ?       30

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b89bb6b...0a452c5. Read the comment docs.

renovate bot force-pushed the renovate/npm-knex-vulnerability branch from 65b3d44 to 0a452c5 Compare

March 16, 2023 07:00

renovate bot changed the title ~~fix(deps): update dependency knex to v0.19.5 [security]~~ fix(deps): update dependency knex to v2 [security]

renovate bot force-pushed the renovate/npm-knex-vulnerability branch from 0a452c5 to 8ba5746 Compare

August 10, 2025 13:53

renovate bot force-pushed the renovate/npm-knex-vulnerability branch from 8ba5746 to daa10b6 Compare

October 22, 2025 00:11

renovate bot force-pushed the renovate/npm-knex-vulnerability branch from daa10b6 to d10d7c9 Compare

February 2, 2026 21:02


          fix(deps): update dependency knex to v0.19.5 [security]

bb0ead7

renovate bot force-pushed the renovate/npm-knex-vulnerability branch from d10d7c9 to bb0ead7 Compare

February 4, 2026 06:35

renovate bot changed the title ~~fix(deps): update dependency knex to v2 [security]~~ fix(deps): update dependency knex to v0.19.5 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet