Skip to content

Comments

chore: update dependency loopback-connector-postgresql to v5.5.1 [security]#125

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-loopback-connector-postgresql-vulnerability
Open

chore: update dependency loopback-connector-postgresql to v5.5.1 [security]#125
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-loopback-connector-postgresql-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
loopback-connector-postgresql 5.3.05.5.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-35942

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection.

Impact

When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.

This affects users who does any of the following:

  • Connect to the database via the DataSource with allowExtendedProperties: true setting OR
  • Uses the connector's CRUD methods directly OR
  • Uses the connector's other methods to interpret the LoopBack filter.

Patches

Patch release loopback-connector-postgresql@5.5.1 has been published of which resolves this issue.

Workarounds

Users who are unable to upgrade should do the following if applicable:

  • Remove allowExtendedProperties: true DataSource setting
  • Add allowExtendedProperties: false DataSource setting
  • When passing directly to the connector functions, manually sanitize the user input for the contains LoopBack filter beforehand.

Release Notes

loopbackio/loopback-connector-postgresql (loopback-connector-postgresql)

v5.5.1

Compare Source

=========================

  • fix: improve filter sanitisation (Rifa Achrinza)

  • fix: debug prints the password in plain text (Francisco Buceta)

  • docs: add SECURITY.md (Diana Lau)

  • docs: update coc (Diana Lau)

  • docs: add code of conduct (Diana Lau)

v5.5.0

Compare Source

=========================

  • chore: add Rifa and Mario as codeowners (Diana Lau)

  • fix: disregard empty and/or fields (Abhilash Murthy)

  • feat(operators): add fts match operator (Akshat Dubey)

  • chore: move repo to loopbackio org (Diana Lau)

  • Defensively drop constraints during migrations (Chris Kobrzak)

v5.4.0

Compare Source

=========================

  • Add on delete options on FK constraints (Quentin Le Bour)

  • ci: switch from Travis to Github Actions (Agnes Lin)

  • Revert "ci: switch travis to github actions" (Miroslav Bajtoš)

  • ci: switch travis to github actions (Francisco Buceta)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Aug 6, 2024
@renovate renovate bot force-pushed the renovate/npm-loopback-connector-postgresql-vulnerability branch from 0078471 to 95afdc2 Compare January 23, 2025 17:54
@renovate renovate bot force-pushed the renovate/npm-loopback-connector-postgresql-vulnerability branch from 95afdc2 to c80fe67 Compare September 25, 2025 21:01
@renovate renovate bot force-pushed the renovate/npm-loopback-connector-postgresql-vulnerability branch from c80fe67 to 35fd98b Compare December 3, 2025 17:54
@renovate renovate bot changed the title chore: update dependency loopback-connector-postgresql to v5.5.1 [security] chore: update dependency loopback-connector-postgresql to v5.5.1 [security] - autoclosed Dec 9, 2025
@renovate renovate bot closed this Dec 9, 2025
@renovate renovate bot deleted the renovate/npm-loopback-connector-postgresql-vulnerability branch December 9, 2025 18:08
@renovate
chore: update dependency loopback-connector-postgresql to v5.5.1 [sec…
033b1a8 
…urity]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title chore: update dependency loopback-connector-postgresql to v5.5.1 [security] - autoclosed chore: update dependency loopback-connector-postgresql to v5.5.1 [security] Dec 10, 2025
@renovate renovate bot reopened this Dec 10, 2025
@renovate renovate bot force-pushed the renovate/npm-loopback-connector-postgresql-vulnerability branch 2 times, most recently from 35fd98b to 033b1a8 Compare December 10, 2025 02:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants