Skip to content

Vulnerable dependency: validator #18032

New issue
New issue
Closed
Bug
Closed
Vulnerable dependency: validator#18032
Bug
Labels
pending-approvalBug reports that have not been verified yet, or feature requests that have not been accepted yet
@itdrm

Description

@itdrm
itdrm
opened on Oct 20, 2025

Issue Creation Checklist

  • I understand that my issue will be automatically closed if I don't fill in the requested information
  • I have read the contribution guidelines

Bug Description

Sequelize depends on vulnerable versions of validator.

Reproducible Example

npm audit
validator  *
Severity: moderate
validator.js has a URL validation bypass vulnerability in its isURL function - https://github.com/advisories/GHSA-9965-vmph-33xx
fix available via `npm audit fix --force`
Will install sequelize@1.2.1, which is a breaking change
node_modules/validator
  sequelize  0.0.0-development || >=1.3.0
  Depends on vulnerable versions of validator
  node_modules/sequelize

Environment

  • Sequelize version: 6.37.7

Would you be willing to resolve this issue by submitting a Pull Request?

  • Yes, I have the time and I know how to start.
  • Yes, I have the time but I will need guidance.
  • No, I don't have the time, but my company or I are supporting Sequelize through donations on OpenCollective.
  • No, I don't have the time, and I understand that I will need to wait until someone from the community or maintainers is interested in resolving my issue.

Indicate your interest in the resolution of this issue by adding the 👍 reaction. Comments such as "+1" will be removed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    pending-approvalBug reports that have not been verified yet, or feature requests that have not been accepted yet

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions