🚨 [security] Upgrade class-validator: 0.13.2 → 0.14.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ class-validator (0.13.2 → 0.14.0) · Repo · Changelog

Security Advisories 🚨

🚨 SQL Injection and Cross-site Scripting in class-validator

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

Release Notes

0.14.0 (from changelog)

Added

• add @IsTimeZone decorator to check if given string is valid IANA time zone
• add @IsISO4217CurrencyCode decorator to check if the string is an ISO 4217 currency code
• add @IsStrongPassword decorator to check if given password matches specific complexity criteria
• add @IsBase58 decorator to check if a string is base58 encoded
• add @IsTaxId decorator to check if a given string is a valid tax ID in a given locale
• add support for passing function as date generator in @MinDate and @MaxDate decorators
• add option to print constraint error message instead of constraint type in validation error
• improve decorator metadata lookup performance
• return possible values in error message for @IsEnum decorator

Fixed

• re-added @types/validator as dependency
• fix error generation when using @NestedValidation
• pass validation options correctly to validator in @IsDateString decorator
• support passing Symbol as parameter in error message generation
• specify supported locales for @IsAlphanumeric decorator
• correctly assign decorator name in metadata instead of loosing it
• fix various spelling errors in documentation
• fix various spelling errors and inconsistencies in JSDoc for decorators

Changed

• enable forbidUnknownValues option by default
• remove documentation about deprecated schema based validation and added warning
• update warning message logged about missing decorator metadata
• update libphonenumber-js to ^1.10.14 from ^1.9.43
• update various dev-dependencies

BREAKING CHANGES

forbidUnknownValues option is enabled by default

From this release the forbidUnknownValues is enabled by default. This is the desired behavior for majority of use-cases, but this change may break validation for some. The two scenarios that results in failed validation:

• when attempting to validate a class instance without metadata for it
• when using group validation and the specified validation group results in zero validation applied

The old behavior can be restored via specifying forbidUnknownValues: false option when calling the validate functions.

For more details see PR #1798 and #1422 (comment).

@NestedValidation decorator correctly assigns validation errors

Until now the errors from a nested validation in some cases were incorrectly assigned to the parent instead of the child being validated. Now the validation errors are correctly assigned.

For more details see #679.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 70 commits:

• merge: release 0.14.0 (#1841)
• build: bump version to 0.14.0
• docs: add changelog for 0.14.0
• build(deps-dev): bump @types/node from 18.11.11 to 18.11.12 (#1840)
• build(deps-dev): bump @typescript-eslint/eslint-plugin (#1837)
• build(deps-dev): bump @typescript-eslint/parser from 5.45.1 to 5.46.0 (#1838)
• build(deps-dev): bump typescript from 4.9.3 to 4.9.4 (#1835)
• build(deps-dev): bump @rollup/plugin-commonjs from 23.0.3 to 23.0.4 (#1836)
• build(deps-dev): bump prettier from 2.8.0 to 2.8.1 (#1834)
• build(deps-dev): bump @types/node from 18.11.10 to 18.11.11 (#1833)
• build(deps-dev): bump @typescript-eslint/parser from 5.45.0 to 5.45.1 (#1832)
• build(deps-dev): bump @typescript-eslint/eslint-plugin (#1831)
• build(deps-dev): bump @types/jest from 29.2.3 to 29.2.4 (#1829)
• build(deps-dev): bump eslint from 8.28.0 to 8.29.0 (#1830)
• build(deps-dev): bump lint-staged from 13.0.4 to 13.1.0 (#1828)
• feat: return possible values in error message for `@IsEnum` decorator (#1826)
• perf: store metadata in maps instead of arrays (#1825)
• build: enable downlevel iteration for ESM5 target
• feat: add `@IsISO4217CurrencyCode` decorator (#1824)
• feat: add `@IsTaxID` decorator (#1822)
• feat: add `showConstraintMessages` option to `ValidationError.toString()` (#1612)
• docs: update error message for no metadata warning
• docs: update JSDoc for `forbidUnknownValues`
• feat: add `@IsBase58` validator (#1765)
• feat: add decorator name to validation metadata (#1687)
• feat: add IsStrongPassword decorator (#1025)
• build(deps-dev): bump @types/node from 18.11.9 to 18.11.10 (#1819)
• build(deps-dev): bump @typescript-eslint/parser from 5.44.0 to 5.45.0 (#1814)
• build(deps-dev): bump @typescript-eslint/eslint-plugin (#1813)
• build(deps-dev): bump @rollup/plugin-commonjs from 23.0.2 to 23.0.3 (#1812)
• build(deps-dev): bump eslint-plugin-jest from 27.1.5 to 27.1.6 (#1809)
• build(deps-dev): bump lint-staged from 13.0.3 to 13.0.4 (#1808)
• build(deps-dev): bump prettier from 2.7.1 to 2.8.0 (#1806)
• build(deps-dev): bump @typescript-eslint/eslint-plugin (#1805)
• build(deps-dev): bump @typescript-eslint/parser from 5.43.0 to 5.44.0 (#1804)
• build(deps-dev): bump eslint from 8.27.0 to 8.28.0 (#1801)
• docs: remove hardcoded postal code list from JSDoc
• fix: add type for locale in `@IsAlphanumeric` decorator
• fix: add type for locale in `@IsAlpha` decorator
• build: restore @types/validator to dependencies
• test: remove export from test util functions
• test: add missing return statement in tests of `@Length` decorator
• docs: update wording in README about inheritance
• fix: correct typo in error message for `@ArrayMaxSize` decorator
• fix: handle symbols in constraintToString method (#1794)
• merge: enable `forbidUnknownValues` by default (#1798)
• test: update group tests to pass validation with `forbidUnknownValues` enabled
• feat: enable `forbidUnknownValues` by default
• fix: pass options to validator in `@IsDateString` decorator (#1720)
• docs: fix typo in JSDoc for `@IsHalfWidth` decorator
• fix: update typo in error message for `@IsUrl` decorator
• docs: correct typos in README
• feat: allow passing dynamic date to `MinDate` and `MaxDate` decorators (#1692)
• docs: add link to contribution guide in README (#1785)
• feat: add `@IsTimeZone` validator (#1796)
• fix: assign `@NestedValidation` error to parent when property is not a class instance (#673)
• build(deps-dev): bump typescript from 4.8.4 to 4.9.3 (#1783)
• build(deps-dev): bump @typescript-eslint/eslint-plugin (#1781)
• build(deps-dev): bump @typescript-eslint/parser from 5.42.1 to 5.43.0 (#1780)
• build(deps-dev): bump @types/jest from 29.2.2 to 29.2.3 (#1779)
• docs: update JSDoc for @Min and @Max decorators
• docs: fix typo in README about @IsEnum decorator
• docs: update JSDoc for @IsDecimal decorator
• docs: remove documentation about schema based validation
• docs: fix typo in README about @IsString decorator
• fix: use optional chaining in ValidationArguments before accessing their value (#1776)
• docs: rename IsHSLColor to IsHSL
• build: update CI/CD to use newer Node versions
• test: update decorator name in failing test
• build: update dependencies to latest

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.