🚨 [security] Update typeorm 0.3.20 β†’ 1.0.0 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ typeorm (0.3.20 β†’ 1.0.0) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). β€œrole” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Release Notes

1.0.0

TypeORM v1.0 is here! πŸ₯³

πŸ‘‰ For a structured walk-through of the changes in v1.0 β€” breaking changes, new features, security fixes, and the upgrade path from 0.3.x β€” see the v1.0 Release Notes.

This release includes breaking changes. See the v1.0 Upgrade Guide

What's Changed

  • fix: include joined entity primary keys in pagination subquery by @mag123c in #11669
  • feat(postgres): add support for PostgreSQL indices by @freePixel in #11318
  • refactor!: remove legacy expo driver by @G0maa in #11860
  • fix(cockroachdb): preserve structured query results during txn retry replay by @naorpeled in #11861
  • docs: add version dropdown (stable/dev) to master by @naorpeled in #11862
  • docs: link to queryrunner api docs from top level queryrunner page by @hughrawlinson in #11869
  • feat: add error handling and log warning for ormconfig loading failures by @Cprakhar in #11871
  • refactor: remove shajs by @G0maa in #11864
  • ci: setup pnpm by @alumni in #11881
  • chore(docs): move to PNPM by @naorpeled in #11884
  • feat: add better typing for conditions in increment and decrement of EntityManager by @OSA413 in #11294
  • fix: getPendingMigrations unnecessarily creating migrations table by @pkuczynski in #11672
  • fix: copy cordova query rows affected into query result by @jacobg in #10873
  • fix: resolve nameless TableForeignKey on drop foreign key by @taichunmin in #10744
  • feat(docs): add Kapa.ai widget for AI-powered documentation assistance by @dlhck in #11891
  • fix: virtual property handling in schema builder by @skyran1278 in #11000
  • fix(mongo): correctly process embedded arrays of nested documents by @mciuchitu in #10940
  • feat(postgres): use ADD VALUE when changing enum values if possible by @janzipek in #10956
  • test: add mutation testing and mutation score badge by @OSA413 in #11253
  • fix: change import for process dependency by @yohannpoli in #11248
  • chore(tests): adapt Stryker mutator to pnpm and fix markup in README for badges by @OSA413 in #11893
  • chore(tests): send only mutation score to the Stryker dashboard by @OSA413 in #11895
  • fix: fix working with tables with quotes in the names for postgres and cockroachdb by @iskalyakin in #10993
  • refactor: replace uuid with native Crypto API by @mag123c in #11769
  • fix(mysql): getVersion returning undefined for PolarDB-X 2.0 by @Missna in #11837
  • test: align file names by @gioboa in #11898
  • ci: ensure pull request follow conventional commits spec by @pkuczynski in #11840
  • feat(qodo): enable new review experience by @naorpeled in #11909
  • test: modify tests to confirm ON CONFLICT ON CONSTRAINT on PostgreSQL/CockroachDB by @Cprakhar in #11908
  • feat: add support for installing additional postgres extensions by @Cprakhar in #11888
  • feat: add deferrable support to exclusion decorator to mirror unique and index decorators by @oGAD31 in #11802
  • chore(mutation testing): tweak Stryker for lower resource usage and decrease timeout for slow running mutants by @OSA413 in #11901
  • fix: raw select query with correctly ordered selected columns by @Cprakhar in #11902
  • docs: fix typo 'spass' to 'pass' by @guoxk-me in #11919
  • chore: align master with v0.3 by @gioboa in #11912
  • fix: update child's mpath by @JoseCToscano in #10844
  • test: verify column names when using referencedColumnName in composite relations by @Cprakhar in #11883
  • fix: merging into an entity now respects null values by @knoid in #11154
  • fix: handle re-save of postgres geometric types by @Cprakhar in #11857
  • fix(sqlite): handle simple-enum arrays correctly by @Cprakhar in #11865
  • fix: fix up map objects comparison by @mgohin in #10990
  • feat: support INSERT INTO ... SELECT FROM ... in QueryBuilder by @Cprakhar in #11896
  • fix: enhance upsert functionality for proper sql generation with table alias by @Cprakhar in #11915
  • fix: remove error handling for *-to-many in createPropertyPath by @ThbltLmr in #11119
  • fix: resolve issue order subquery column (Cannot get metadata of given alias) by @trannhan0810 in #11343
  • test: verify synchronize true works with multiple relations by @Cprakhar in #11889
  • feat: add encryption key for React Native by @HtSpChakradharCholleti in #11736
  • chore(qodo-config): add compliance checklist by @naorpeled in #11921
  • fix: soft deletion should not update the already soft deleted rows by @hassanmehdi98 in #10705
  • fix: update RelationIdLoader to use DriverUtils.getAlias by @te1 in #11228
  • fix: fix up join attributes inside bracket by @balkrushna in #11218
  • chore(qodo): disable in progress notification in master by @naorpeled in #11927
  • fix: make shorten method to properly work with camelCase_aliases by @OSA413 in #11283
  • test: added tests to verify jsonb operators in find options with Raw() by @Cprakhar in #11917
  • docs: correct typo in getting started by @rewento in #11932
  • fix(query-builder): resolve column lookup when using database column name in addOrderBy by @smith-xyz in #11904
  • docs: ensure consistent plural form for folder names (entities, migrations, etc) by @pkuczynski in #11903
  • ci: use prettier on all types of files it supports by @pkuczynski in #11842
  • ci(docs): add deploy Github Action by @naorpeled in #11911
  • fix: handle relation ids in nested embedded entities by @Cprakhar in #11942
  • fix: use subquery with join map one methods by @gioboa in #11943
  • docs: add JsonContains find-options example by @lraveri in #11945
  • fix: prevent columns with select false from being returned by @gioboa in #11944
  • fix(postgres): handle timestamptz persistence/hydration correctly by @Minishlink in #11774
  • fix(cli): init command loading non-existing package.json by @gioboa in #11947
  • feat: gsoc 2026 idea list by @G0maa in #11953
  • feat: add modern migrations tooling gsoc project by @G0maa in #11958
  • fix: fix up limit with joins by @gioboa in #11987
  • fix: fix up save with eagerly loaded relation by @gioboa in #11975
  • fix: fix up generated query with .update() by @gioboa in #11993
  • feat(sap): support locking in select by @alumni in #11996
  • fix: disable global order for aggregate functions by @Cprakhar in #11925
  • feat(ci): switch to npm trusted publishing with nightly support by @michaelbromley in #11986
  • feat: add support for table comments in SAP HANA by @Cprakhar in #11939
  • chore(qodo): disable persistent comments and inline code suggestions in master by @naorpeled in #11988
  • fix: prevent eager relations from being joined twice when explicitly specified by @veeceey in #11991
  • feat!: remove deprecated Connection and ConnectionOptions by @alumni in #12022
  • chore(deps): update dependencies to latest minor versions by @alumni in #12017
  • docs: document bulk operations with array of condition objects by @eka-bot-account in #12006
  • docs: add bulk operations examples for update, delete, and softDelete by @eka-bot-account in #12025
  • docs(jsdoc): add params and other lint fixes by @alumni in #12023
  • fix: fix up change detection with date transformer by @gioboa in #11963
  • fix: properly escape column alias in orderBy by @Cprakhar in #12027
  • feat(sqlite)!: drop support for sqlite3 and default to better-sqlite3 by @pkuczynski in #11836
  • test: move sqljs tests to test/functional/driver/ by @pkuczynski in #12036
  • test: reorganize lazy relation tests and standardize naming by @pkuczynski in #12038
  • ci: separate format check and lint by @pkuczynski in #11841
  • feat: support cascade truncate in clear() method by @Cprakhar in #11866
  • ci: stop competing executions by @gioboa in #12041
  • test: rename connections to dataSources by @pkuczynski in #12039
  • ci: commit prefix should follow standard-changelog by @alumni in #12059
  • fix: switch to type imports and exports whenever possible by @alumni in #12044
  • fix(docs): align code style by @gioboa in #12081
  • refactor(sap)!: remove SapConnectionOptions' deprecated properties by @gioboa in #12080
  • feat(mysql)!: remove deprecated MySQL integer display width and zerofill support by @pkuczynski in #12084
  • feat(mysql)!: disable legacy spatial support by default for MySQL by @pkuczynski in #12083
  • refactor(test): convert before hook implicit returns to block body by @pkuczynski in #12085
  • docs(sap): remove obsolete data source options in documentation by @gioboa in #12095
  • refactor(lock)!: remove deprecated pessimistic_partial_write and pessimistic_write_or_fail lock modes by @pkuczynski in #12093
  • style: enable no-return-assign eslint rule and fix violations by @pkuczynski in #12086
  • refactor(CustomRepository)!: remove AbstractRepository, @entityrepository, and getCustomRepository by @pkuczynski in #12096
  • refactor(mongo)!: remove deprecated getMongoRepository and getMongoManager globals by @pkuczynski in #12099
  • refactor(QueryBuilder)!: remove deprecated WhereExpression type alias by @pkuczynski in #12097
  • ci(eslint): upgrade eslint from v9 to v10 by @pkuczynski in #12100
  • style(eslint): fix no-useless-assignment violations by @pkuczynski in #12102
  • ci(codeql): upgrade codeql-action from v3 to v4 by @pkuczynski in #12103
  • style(eslint): fix preserve-caught-error violations by @pkuczynski in #12101
  • test(cascades): merge github-issue-57 inverse-side cascade test into existing functional test by @pkuczynski in #12107
  • refactor: remove deprecated global APIs and ConnectionManager by @michaelbromley in #12098
  • ci: add chore to allowed PR title types by @pkuczynski in #12109
  • test(relations): remove duplicate issue-56 test by @pkuczynski in #12106
  • test(cascades): move github-issue-70 test to cascades/cascade-remove-one-to-many by @pkuczynski in #12112
  • chore(deps-dev): update @stryker-mutator/core and mocha-runner to 9.6.0 by @pkuczynski in #12108
  • ci(qodo): remove summary comments location policy by @naorpeled in #12116
  • ci(qodo): remove publish_output_no_suggestions from pr_agent config by @naorpeled in #12118
  • style: rename connection to dataSource in functional tests by @pkuczynski in #12113
  • fix(postgres): execute queries sequentially to avoid pg 8.19.0 deprecation warning by @pkuczynski in #12105
  • test(relations): move github-issue-58 to multiple-primary-keys-many-to-many as explicit join entity test by @pkuczynski in #12111
  • refactor(mongodb)!: remove deprecated connection options by @pkuczynski in #12120
  • ci(qodo): remove /improve from pr and push commands by @naorpeled in #12128
  • test: reorganize column option tests into insert-control, update-control, and select-control by @pkuczynski in #12127
  • test: move github-issue-80 test to persistence/save-empty-array by @pkuczynski in #12126
  • test: move github-issue-71 test to relations/custom-join-column-name by @pkuczynski in #12125
  • ci(tests): limit push trigger to master branch only by @pkuczynski in #12122
  • refactor(Repository)!: remove deprecated exist() method by @pkuczynski in #12131
  • refactor(columns)!: remove deprecated readonly column option by @pkuczynski in #12132
  • refactor(columns)!: remove deprecated unsigned from ColumnNumericOptions by @pkuczynski in #12133
  • refactor(DriverUtils): remove deprecated buildColumnAlias method by @pkuczynski in #12138
  • refactor(broadcaster): remove deprecated broadcastLoadEventsForAll method by @pkuczynski in #12137
  • refactor(MigrationExecutor)!: remove deprecated getAllMigrations method by @pkuczynski in #12142
  • ci(milestones): add workflow to auto-assign milestones on merge by @pkuczynski in #12139
  • refactor(EntityMetadata)!: remove deprecated static createPropertyPath method by @pkuczynski in #12141
  • refactor(ConnectionOptionsReader)!: remove ConnectionOptionsEnvReader and TYPEORM_* env variable support by @pkuczynski in #12134
  • ci: do not skip detect-changes on pull requests by @pkuczynski in #12145
  • feat(mongo)!: remove exported internal types by @alumni in #12037
  • fix: scope invalidWhereValuesBehavior to high-level abstractions only by @naorpeled in #11878
  • ci(tests): add detect-changes to all-passed job needs by @pkuczynski in #12146
  • docs: remove GSoC documentation by @naorpeled in #12147
  • ci(publish): skip publish-package workflow in forks by @pkuczynski in #12148
  • feat(QueryRunner): add ifExists parameter to all drop methods by @pkuczynski in #12121
  • docs: add Docusaurus blog by @dlhck in #12156
  • docs: add roadmap page linking to GitHub milestones by @pkuczynski in #12140
  • refactor(QueryBuilder)!: remove onConflict(), deprecated orUpdate() overload, and setNativeParameters() by @pkuczynski in #12090
  • refactor!: remove internal nativeParameters plumbing from drivers and query builders by @pkuczynski in #12104
  • refactor(SqlServer)!: remove deprecated domain connection option by @pkuczynski in #12135
  • docs: update contact email to maintainers@typeorm.io by @pkuczynski in #12161
  • refactor(ConnectionOptionsReader)!: remove deprecated DataSource.name and simplify API by @pkuczynski in #12136
  • test: remove skipped github-issue-114 test by @pkuczynski in #12144
  • ci(tests): add merge_group trigger to tests workflow by @pkuczynski in #12163
  • test: move github-issue-108 test to schema-builder/sync-unique-constraint-names by @pkuczynski in #12143
  • ci(cockroachdb): add health check for CockroachDB service by @pkuczynski in #12157
  • feat(invalid-where-values-behavior): make throw the default by @naorpeled in #11710
  • test(github-issue): move test 190 to query-builder/take/sqlite-high-take-limit by @pkuczynski in #12176
  • refactor(container): remove deprecated IoC container system by @pkuczynski in #12180
  • refactor(QueryBuilder): remove deprecated replacePropertyNames method by @pkuczynski in #12178
  • refactor(mongodb): remove deprecated connection options by @pkuczynski in #12179
  • test(github-issue): move test 175 to relations/empty-relation-returns-array by @pkuczynski in #12171
  • test(github-issue): move test 163 to relations/many-to-many/save-from-both-sides by @pkuczynski in #12169
  • test(github-issue): remove duplicate test 134 by @pkuczynski in #12168
  • feat(redis)!: remove support for legacy redis client versions by @G0maa in #12057
  • test(github-issue): remove duplicate test 131 by @pkuczynski in #12167
  • test(github-issue): move test 174 to embedded/order-by-duplicate-column-name by @pkuczynski in #12170
  • test(github-issue): remove duplicate test 184 by @pkuczynski in #12175
  • test(github-issue): move test 197 to schema-builder/drop-column-with-index by @pkuczynski in #12177
  • test(github-issue): remove duplicate test 182 by @pkuczynski in #12173
  • perf(postgres): batch DROP statements in clearDatabase() by @pkuczynski in #12164
  • perf(cockroachdb): batch DROP statements in clearDatabase() by @pkuczynski in #12159
  • refactor(QueryRunner): remove deprecated loadedTables and loadedViews properties by @pkuczynski in #12183
  • refactor(decorator): remove deprecated @RelationCount decorator by @pkuczynski in #12181
  • refactor!: remove deprecated findByIds from Repository and EntityManager by @pkuczynski in #12114
  • fix(postgres,cockroachdb): use parameterized queries in clearDatabase() by @pkuczynski in #12185
  • ci(qodo): removed extra comment from PR agent by @gvago in #12186
  • fix(upsert): handle update false or generatedType properly by @gioboa in #12030
  • ci: consolidate test configs into ormconfig.sample.json by @pkuczynski in #12162
  • test(github-issue): remove duplicate test 176 by @pkuczynski in #12172
  • ci(publish): overhaul publish package strategy with tagging by @pkuczynski in #12154
  • ci(qodo): remove final_update_message config by @naorpeled in #12191
  • refactor(find-options): un-deprecate OrderByCondition type by @pkuczynski in #12187
  • test(github-issue): move test 211 to query-builder/parameters/spread-in-parameters by @pkuczynski in #12196
  • ci(docs): remove unused docsearch workflow and scraper config by @pkuczynski in #12194
  • fix(ValueTransformer): transform FindOperators in ApplyValueTransformers by @ZimGil in #11172
  • ci: restore npm upgrade and bump Node to 24 for trusted publishing by @pkuczynski in #12199
  • refactor(query-builder): replace deprecated substr with modern alternatives by @naorpeled in #12149
  • ci: update github actions to latest versions by @pkuczynski in #12201
  • docs(container): expand migration guide with DI patterns and alternatives by @pkuczynski in #12192
  • ci(qodo): turn off feedback_or_draft_pr by @gvago in #12204
  • test(sql-injection): add regression tests for SQL injection prevention by @pkuczynski in #12203
  • refactor!: remove Buffer polyfill and replace Buffer with Uint8Array on non-node platforms by @pujux in #11935
  • ci: use typeorm org Docker images for CI by @naorpeled in #12189
  • ci(cockroachdb): split tests into parallel shards by @naorpeled in #12184
  • ci(qodo): fix placement of publish_output_progress setting by @naorpeled in #12206
  • refactor(query-builder)!: rename printSql to logQuery by @naorpeled in #12151
  • ci: improve path filters for format and test jobs by @pkuczynski in #12205
  • fix(mongodb): translate ObjectIdColumn property name to _id in find queries by @pkuczynski in #12200
  • fix(query-runner): parameterize SQL queries across all drivers by @pkuczynski in #12197
  • style(docs): prettify search results dropdown by @naorpeled in #12213
  • refactor(mongo)!: drop MongoDB driver v6 support, require v7 by @naorpeled in #12208
  • feat(sqlite): add support for jsonb column type in SQLite by @Cprakhar in #11933
  • ci(publish): use node 20 for v0.3 nightly builds by @pkuczynski in #12216
  • ci(qodo): turn off progress comments and agentic describe by @gvago in #12225
  • fix(query-builder): resolve alias collision for self-referencing relations with query load strategy by @campmarc in #11066
  • test(json): merge github-issue-204 into json/basic-jsonb by @pkuczynski in #12190
  • fix(query-runner): parameterize queries and escape identifiers to prevent SQL injection by @pkuczynski in #12207
  • ci(publish): serialize nightly publish jobs to avoid npm 409 conflict by @pkuczynski in #12228
  • docs: improve migration guide and add v1.0 release notes by @pkuczynski in #12229
  • build(gulp): remove gulpclass dependency and modernize build pipeline by @pkuczynski in #12224
  • test(entity-listeners): add tests for listeners with entity inheritance by @Cprakhar in #12219
  • fix: propagate schema and database to closure junction table by @nvdnkpr in #12110
  • refactor(find-options)!: remove deprecated join option from find methods by @pkuczynski in #12188
  • refactor(find-options)!: remove deprecated string-based select from find methods by @pkuczynski in #12214
  • refactor(find-options)!: remove deprecated string-based relations from find methods by @pkuczynski in #12215
  • refactor(repository)!: remove deprecated findOneById methods by @pkuczynski in #12198
  • perf(relations)!: use inner join for non-nullable ManyToOne and OneToOne relations by @chunghyunleeme in #12064
  • fix: eager load relation strategy by @SharkSharp in #11326
  • refactor: rename connection to dataSource in the Driver and QueryRunner classes by @alumni in #12244
  • refactor: rename connection to dataSource in the EntityManager and QueryBuilder classes by @alumni in #12245
  • refactor: rename connection to dataSource in all *Event interfaces by @alumni in #12246
  • refactor!: rename connection to dataSource in the metadata classes by @alumni in #12249
  • docs(relations): document relationLoadStrategy and loadEagerRelations by @pkuczynski in #12254
  • test(tree): consolidate tree tests from github-issues into tree-tables by @pkuczynski in #12259
  • test(tree): simplify tree test entities and remove unused fields by @pkuczynski in #12260
  • fix(query-builder): validate orderBy condition values at runtime by @pkuczynski in #12217
  • refactor(query-builder)!: remove logQuery method by @pkuczynski in #12220
  • ci(qodo): disable persistent review notification by @naorpeled in #12263
  • feat: add codemod package for automated v1 migration by @pkuczynski in #12233
  • ci: extract reusable composite actions for consistency and fix missing frozen-lockfile by @pkuczynski in #12202
  • fix(mssql)!: rename dataSource isolation options and assign proper values during createPool by @Cprakhar in #12231
  • fix(query-builder): follow-up fixes for eager load relation strategy by @pkuczynski in #12256
  • test: unskip cascade soft-remove and add recovery tests by @richarda23 in #12252
  • chore: remove integration tests and migrate cascade coverage to functional by @pkuczynski in #12273
  • docs: move inline code examples to JSDoc @example tags by @pkuczynski in #12275
  • test(cascades): consolidate cascade tests together by @pkuczynski in #12276
  • fix(cli): preserve devDependencies needed by init command in published package by @pkuczynski in #12281
  • style(tests): standardize test setup hooks to async/await pattern by @pkuczynski in #12271
  • fix(persistence)!: handle non-nullable FK in orphaned row nullification by @gioboa in #11982
  • fix(codemod): exclude type declarations from build by @pkuczynski in #12292
  • docs(deps): upgrade React to 19, lucide-react to 1.x by @pkuczynski in #12294
  • chore(codemod): add homepage field to package.json by @pkuczynski in #12291
  • docs: add Releases section with v1.0 announcement bar by @pkuczynski in #12293
  • docs: add social links to maintainer cards by @pkuczynski in #12296
  • fix(test): replace hardcoded IDs and names with entity references in closure-table test by @pkuczynski in #12289
  • chore!: remove dead code, debug blocks, and commented-out code by @naorpeled in #12284
  • fix(query-builder): reject semicolons in raw SQL expression methods by @pkuczynski in #12209
  • fix(cascade): propagate withDeleted to relation-id loader for many-to-many recover by @pkuczynski in #12287
  • docs: simplify upgrading guide and remove internal implementation details by @pkuczynski in #12305
  • docs(sidebar): flatten Advanced Topics into main menu and split Performance Optimization by @pkuczynski in #12319
  • refactor: replace deprecated substr by @Cprakhar in #12302
  • fix(metadata-builder): deferrable for many to many by @smith-xyz in #11924
  • test: prevent enum mutation from polluting other tests by @pkuczynski in #12306
  • test(schema-builder): reorganize schema-builder tests by topic by @pkuczynski in #12290
  • fix(types): add proper entity typing for queryBuilder.update by @OSA413 in #11296
  • fix(test): clean up schema-builder test entities and code smells by @pkuczynski in #12324
  • refactor(test): replace findOne with findOneOrFail to eliminate non-null assertions by @pkuczynski in #12325
  • test: rename test files by @Cprakhar in #12268
  • fix(cascade): support cascade remove for OneToMany relations with composite PKs by @pkuczynski in #12286
  • docs: use indexes instead of indices in documentation by @pkuczynski in #12321
  • test(cascades): unskip composite PK cascade tests and remove driver restrictions by @pkuczynski in #12283
  • style(eslint): enable prefer-optional-chain rule by @pkuczynski in #12331
  • style(eslint): enable prefer-nullish-coalescing rule by @pkuczynski in #12340
  • style(eslint): enable prefer-string-starts-ends-with rule by @pkuczynski in #12332
  • fix(schema): sort composite FK columns to match referenced PK index order by @pkuczynski in #12280
  • fix: remove whitespaces in log query by @Cprakhar in #12047
  • feat(transactions): add isolationLevel option to DataSource for all drivers by @pkuczynski in #12269
  • docs: update multiple data sources examples by @omarrayoubb in #12327
  • docs(performance): add database-specific EXPLAIN examples to indexes guide by @pkuczynski in #12328
  • feat(mongodb): implement object-based select projection for find methods by @pkuczynski in #12237
  • feat(aurora-postgres): transaction isolation level support by @pkuczynski in #12334
  • refactor!: remove app-root-path by @alumni in #12257
  • chore!: remove dead skipNulls option from getEntityValueMap by @naorpeled in #12303
  • feat(spanner): implement transaction isolation level support by @pkuczynski in #12335
  • style(eslint): add rules preventing deprecated string methods by @pkuczynski in #12320
  • style(eslint): enable unicorn/prefer-string-replace-all rule by @pkuczynski in #12222
  • ci(spanner): add spanner job to the linux test matrix by @pkuczynski in #12349
  • docs(release-notes): sync release notes by @pkuczynski in #12356
  • feat(codemod): detect incompatible ecosystem packages and bump dependency versions by @pkuczynski in #12360
  • docs(release-notes): restore RdbmsSchemaBuilder.renameTables() entry by @naorpeled in #12366
  • ci: migrate code coverage from Coveralls to SonarCloud by @pkuczynski in #12274
  • docs(maintainers): add Prakhar and Shaun as maintainers by @naorpeled in #12365
  • test: fix flaky enum assertion and test CI job database in cli init by @Cprakhar in #12381
  • chore: expand qodo with review-ux and self-review options by @pkuczynski in #12380
  • fix(codemod): scope v1 transforms to typeorm imports and skip .d.ts files by @pkuczynski in #12372
  • fix(codemod): handle aliases, quoted keys, and ObjectProperty variants by @pkuczynski in #12377
  • fix(codemod): rename .connection on EntityMetadata, ColumnMetadata, IndexMetadata by @pkuczynski in #12383
  • fix(codemod): track DataSource accessor chains for typed-variable renames by @pkuczynski in #12385
  • test(codemod): pin that find-options string transforms leave non-array values alone by @pkuczynski in #12384
  • fix(codemod): handle typeof type queries and use getStringValue consistently by @pkuczynski in #12379
  • fix(codemod): recognize typeorm deep-path imports by @pkuczynski in #12382
  • feat(codemod): flag removed ConnectionManager class constructions by @pkuczynski in #12376
  • feat(codemod): flag FileLogger usage with non-absolute logPath by @pkuczynski in #12361
  • fix: do not run npm install by @alumni in #12386
  • fix(codemod): handle lock option objects correctly and increase test coverage by @Cprakhar in #12353
  • fix(codemod): correct relation-count guidance and flag loadRelationCountAndMap by @pkuczynski in #12374
  • feat(codemod): flag removed FindOneOptions/FindManyOptions join property by @pkuczynski in #12375
  • feat(codemod): rename ConnectionOptionsReader.all() to get() and flag path semantics change by @pkuczynski in #12362
  • chore(decorator): remove stale todo on JoinColumnOptions.referencedColumnName by @naorpeled in #12370
  • chore(codemod): release 1.0.1 by @michaelbromley in #12390
  • fix(codemod): rewrite typeorm re-exports in barrel files by @pkuczynski in #12373
  • fix(expo): auto-load expo-sqlite driver via loadDependencies() by @pkuczynski in #12363
  • docs(issue-template): add capacitor option to drivers list and remove sqlite-abstract by @Cprakhar in #12371
  • docs(security): route vulnerability reports to GitHub Security Advisories by @smith-xyz in #12359
  • fix(codemod): harden scope, idempotency, and import-strip semantics by @pkuczynski in #12391
  • fix(codemod): harden scope and type-name detection across more AST shapes by @pkuczynski in #12394
  • chore(codemod): release 1.0.2 by @michaelbromley in #12395
  • chore(deps): bump dependencies and fix lint offenses by @pkuczynski in #12401
  • feat(mysql): update query types to include named parameters by @kranners in #11798
  • fix(codemod): harden destructure and DI accessor rewrites for connection to dataSource rename by @pkuczynski in #12398
  • fix(codemod): apply find-options select/relations rewrites to .exists() too by @pkuczynski in #12399
  • chore: remove legacy samples and move playground to root by @pkuczynski in #12403
  • revert(250e019): undo change modifying intended behavior in QueryBuilder (PR 12209) by @alumni in #12396
  • chore(deps): bump docs dependencies by @pkuczynski in #12402
  • fix(postgres,cockroachdb): load enum values in declaration order by @pkuczynski in #12404
  • docs: remove references to archived typeorm example repos by @pkuczynski in #12410
  • fix: query stack trace by @Cprakhar in #12056
  • feat(sap): add support for generated column in SAP HANA by @Cprakhar in #12393
  • fix(codemod): cover ColumnMetadata args.options in column option rewrites by @pkuczynski in #12400
  • chore(codemod): release 1.0.3 by @michaelbromley in #12417
  • docs(transactions): clarify CockroachDB isolation level behavior and add tests by @Cprakhar in #12350
  • refactor!: extract legacy naming strategies by @alumni in #12416
  • fix(postgres): execute remaining relation-load and persistence paths sequentially to avoid pg 8.19.0 deprecation by @kyungseopk1m in #12421
  • chore(legacy-naming-strategies): bump to 1.0.0-beta.3 by @michaelbromley in #12430
  • fix: use file reference for typeorm in playground to prevent false dependabot alerts by @smith-xyz in #12438
  • chore(deps): update all dependencies to their latest minor version by @smith-xyz in #12439
  • fix: scope computed-columns join to correct table in MSSQL schema query by @PreAgile in #12288
  • fix: preserve user-defined shared join columns in change set by @PreAgile in #12354
  • fix(security): validate limit() in Update/SoftDelete query builders by @smith-xyz in #12436
  • ci: pin all GitHub Actions to commit SHAs by @smith-xyz in #12481
  • revert: fix up limit with joins by @gioboa in #12478
  • chore(deps): bump the github-actions-third-party group with 3 updates by @dependabot[bot] in #12484
  • chore(deps): bump the github-actions-official group with 3 updates by @dependabot[bot] in #12483
  • fix(mysql)!: use index identifiers instead of raw SQL in QB.useIndex() by @eddieran in #12344
  • fix(find-options): allow array values in JsonContains by @kyungseopk1m in #12420
  • fix(cockroachdb): adjust join in loadTables to load correct table columns by @Cprakhar in #12413
  • chore: release v1.0.0 by @michaelbromley in #12510

New Contributors

Full Changelog: 0.3.30...1.0.0

0.3.30

What's Changed

  • fix: scope invalidWhereValuesBehavior to high-level abstractions only by @naorpeled in #11878
  • fix: scope computed-columns join to correct table in MSSQL schema query by @PreAgile in #12288
  • fix: preserve user-defined shared join columns in change set by @PreAgile in #12354
  • revert: fix up limit with joins by @alumni
  • fix(find-options): allow array values in JsonContains by @kyungseopk1m in #12420
  • fix(cockroachdb): adjust join in loadTables to load correct table columns by @Cprakhar in #12413
  • ci: use the v0.3 branch as base for detect-changes by @alumni
  • chore(release): release 0.3.30 by @alumni in #12511

Full Changelog: 0.3.29...0.3.30

0.3.29

What's Changed

New Contributors

Full Changelog: 0.3.28...0.3.29

0.3.28

What's Changed

New Contributors

Full Changelog: 0.3.27...0.3.28

0.3.27

Note: This release reverts a fix from 0.3.26 (#11114) because it introduced a regression in certain cases.

Once a fix can be provided which does not have this regression, it will be released in a future patch.

What's Changed

New Contributors

Full Changelog: 0.3.26...0.3.27

0.3.26

Notes:

  • When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
    in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
  • When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
    is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

What's Changed

  • chore: Remove manual trigger on publish workflow by @michaelbromley in #11536
  • test(ci): force mocha to exit on stuck process by @OSA413 in #11538
  • fix(oracle): pass duplicated parameters correctly to the client when executing a query by @alumni in #11537
  • feat(sap): add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud by @alumni in #11526
  • fix: add stricter type-checking and improve event loop handling by @alumni in #11540
  • perf: avoid unnecessary count on getManyAndCount by @EQuincerot in #11524
  • feat(sap): use the native driver for connection pooling by @alumni in #11520
  • fix: support for better-sqlite3 v12 by @mohd-akram in #11557
  • fix: preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) by @kettui in #10679
  • chore: change test badge from test.yml to commit-validation.yml by @albasyir in #11560
  • fix: do not create junction table metadata when it already exists by @ragrag in #11114
  • fix(mysql): support AnalyticDB returning version() column name in getVersion() by @rhydian0x in #11555
  • fix: resolve array modification bug in QueryRunner drop methods #11563 by @taina0407 in #11564
  • fix(mysql): set stringifyObjects implicitly by @alumni in #11574
  • docs: separate driver-specific documentation by @alumni in #11581
  • docs: fix redirect to mongodb page by @alumni in #11584
  • feat(11528): add Redis 5.x support with backward compatibility wite peer dependency to allow by @par333k in #11585
  • fix: regtype is not supported in aurora serverless v2 by @ArsenyYankovsky in #11568
  • fix(platform[web worker]): improve globalThis variable retrieval for … by @dasoncheng in #11495
  • docs: added @piying/orm extension to readme by @wszgrcy in #11596
  • docs: Fix reload option typo by @radovanovic-stevan in #11601
  • feat: add entity mode virtual-property by @wszgrcy in #11597
  • chore: Release v0.3.26 by @michaelbromley in #11602

New Contributors

Full Changelog: 0.3.25...0.3.26

0.3.25

What's Changed

  • docs: use correct SQL statements in softDelete/restore comments by @sgarner in #11489
  • fix: resolve alias or table name in upsert and orUpdate for PostgreSQL driver conditionally by @mmarifat in #11452
  • feat(spanner): use credentials from connection options by @denes in #11492
  • feat: add upsert support for Oracle, SQLServer and SAP HANA by @Yuuki-Sakura in #10974
  • fix: handle limit(0) and offset(0) correctly in SelectQueryBuilder by @yeonghun104 in #11507
  • fix: add collation update detection in PostgresDriver by @asn6878 in #11441
  • feat: add typesense/docsearch-scraper by @gioboa in #11424
  • chore: improve linting by @alumni in #11510
  • chore: improve linting (fixup) by @alumni in #11511
  • docs: new website initial commit by @naorpeled in #11408
  • fix: fix up doc search workflow by @gioboa in #11513
  • chore: update workflows to ignore changes in docs directory by @dlhck in #11518
  • feat(docs): add Plausible analytics script to Docusaurus config by @dlhck in #11517
  • docs: add note about using YugabyteDB by @mguida22 in #11521
  • chore(docs): improve website generation config by @alumni in #11527
  • fix(tree-entity): closure junction table primary key definition should match parent table by @gongAll in #11422
  • docs: add heading to Getting Started page by @sgarner in #11531
  • fix: Multiple relations with same columns cause invalid SQL to be generated by @yevhen-komarov in #11400
  • fix: fix null pointer exception on date array column comparison by @mnbaccari in #11532
  • chore(ci): simplify workflows by @alumni in #11530
  • fix: improve async calls on disconnect by @alumni in #11523

New Contributors

Full Changelog: 0.3.24...0.3.25

0.3.24

What's Changed

New Contributors

Full Changelog: 0.3.23...0.3.24

0.3.23

What's Changed

New Contributors

Full Changelog: 0.3.22...0.3.23

0.3.22

What's Changed

New Contributors

Full Changelog: 0.3.21...0.3.22

0.3.21

What's Changed

New Contributors

Full Changelog: 0.3.20...0.3.21

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.