Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation warning for String based operators #8417

Closed
krishangupta opened this issue Oct 3, 2017 · 106 comments
Closed

Deprecation warning for String based operators #8417

krishangupta opened this issue Oct 3, 2017 · 106 comments

Comments

@krishangupta
Copy link

@krishangupta krishangupta commented Oct 3, 2017

Since I upgraded to 4.13.2 I get a deprecation warning

sequelize deprecated String based operators are now deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/tutorial/querying.html#operators node_modules/sequelize/lib/sequelize.js:236:13

I do not use any string based operators, however, or any operators of any kind. I didn't even know what an operator was actually, which is why I was confused.

I can fix this by adding operatorsAliases: false when instantiating the Sequellize object as below. Should this not be the default though? Or can we have the warning and documentation more clearly state that operatorsAliases: false must be set in order to avoid the warning?


const sequelize = new Sequelize(
  config.RDS_DB_NAME,
  config.RDS_USERNAME, 
  config.RDS_PASSWORD,
  {
    host: config.RDS_HOSTNAME,
    dialect: 'mysql',
    logging: false,
    freezeTableName: true,
    operatorsAliases: false
  }
)
@rojerv
Copy link

@rojerv rojerv commented Oct 4, 2017

The same error

Loading

@krishangupta krishangupta changed the title sequelize deprecated String based operators are now deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/tutorial/querying.html#operators node_modules/sequelize/lib/sequelize.js:236:13 Deprecation warning for String based operators Oct 4, 2017
@sushantdhiman
Copy link
Contributor

@sushantdhiman sushantdhiman commented Oct 4, 2017

This is a deprecation warning, reason behind which is clearly stated in http://docs.sequelizejs.com/manual/tutorial/querying.html#operators-security , I am sure you must have read it.

Let me distill this regardless, Most web frameworks in Node.js allow parsing a object like string to actual JS object. This becomes a major issue when developers are passing user input without sanitizing them to Sequelize methods.

For example, consider this sample of code

db.Token.findOne({
      where: {
        token: req.query.token
      }
);

Now a bad actor could pass token='{"$gt": 1}' which will make above query to become something like this

db.Token.findOne({
      where: {
        token: {
           $gt: 1
        }
      }
);

This is because $gt is a string based operator which can be injected as string. To mitigate this we introduced secure operators #8240

Secure operators are Symbols which can't be duplicated by such object conversion. If we were using above code with secure operators we get this state

db.Token.findOne({
      where: {
        token: {
           $gt: 1 // invalid, as Op.gt is an operator but $gt is not. This will throw an error
        }
      }
);

We cant make these symbol operators default for everyone as this would be a breaking change.

So what should you as a developer do now

  1. If you follow good development practices and sanitize your user inputs properly, Go ahead and ignore this warning. We encourage you to switch your code base to use Op based operators as in v5 String based operators $gte, $lte .... will be disabled by default

  2. If you think your inputs are not properly sanitized, please change your codebase to use Op (Symbol based operators).

You still want to use a few or all string operators, but dont want this warning

You can pass an operators map to operatorsAliases as explained in http://docs.sequelizejs.com/manual/tutorial/querying.html#operators-aliases

So in theory you can pass all current operators and disable this warning but be aware of this issue and dont forget to sanitize your user inputs.

More discussion and implementation details here

Loading

@krishangupta
Copy link
Author

@krishangupta krishangupta commented Oct 4, 2017

@sushantdhiman Thanks for the quick response. I would normally expect deprecation warnings when I had actually used the thing that was being deprecated. I was really hunting my code for any operators before I figured out what was going on.

You have this section of the docs.

You can limit alias your application will need by setting operatorsAliases option, remember to sanitize user input especially when you are directly passing them to Sequelize methods.

To me it wasn't clear where to set operatorsAliases, or what to set it to.

A couple suggestions if it's not just me who's confused.

  1. In the security section mentioned above, tell people When instantiating Sequelize, you are required to specify Operator Aliases or specifically set this value to false (set operatorAliases: false)..

  2. Set operatorAliases: false by default on the Sequelize constructor so that others dont get the depreciation warning. Not sure of the implications here.

Thanks for all the hard work on this project!

Loading

@alanpurple
Copy link

@alanpurple alanpurple commented Oct 6, 2017

I have no "$" things anywhere in my start code, but still has that deprecation warning

Loading

@krishangupta
Copy link
Author

@krishangupta krishangupta commented Oct 6, 2017

I also get it when doing a migration fyi.

Loading

@trinitroglycerin
Copy link

@trinitroglycerin trinitroglycerin commented Oct 7, 2017

This also occurs in findById - there's no way of passing operators here.

Loading

@ekamgit
Copy link

@ekamgit ekamgit commented Oct 7, 2017

This occurs using the basic 'Getting started' example from the main page. I do not even have a single query. I literally have the following code in index.js and get the warning.

const Sequelize = require('sequelize');

const sequelize = new Sequelize('database', 'username', 'password', {
  host: 'localhost',
  dialect: 'mysql',

  pool: {
    max: 5,
    min: 0,
    idle: 10000
  }
});

Loading

@alanpurple
Copy link

@alanpurple alanpurple commented Oct 7, 2017

So this warning sure is a bug, as mentioned by many people

Loading

@fedtuck
Copy link

@fedtuck fedtuck commented Oct 7, 2017

same thing for me

Loading

@siguago
Copy link

@siguago siguago commented Oct 8, 2017

Just add this to options.

operatorsAliases: false

Loading

@reservce
Copy link

@reservce reservce commented Oct 9, 2017

I tried to use

const Op = Sequelize.Op;
const operatorsAliases = {...}

following this http://docs.sequelizejs.com/manual/tutorial/querying.html#operators-aliases
However I got error:
Invalid value [object Object]
when this code below run:

let options = {where: {}, raw: true};
...
options.where.name = {$ilike: `%${filters.name}%`};
options.where.duration = filters.duration;
...
Banners.findAndCountAll(options);

Before update operatorsAliases, everything works fine.
How can I fix this?

Loading

@ghost
Copy link

@ghost ghost commented Oct 9, 2017

const Op = Sequelize.Op;
const sequelize = new Sequelize('test', 'test', 'pass1234', {
  host: '127.0.0.1',
  dialect: 'mysql',
  operatorsAliases: Op, // use Sequelize.Op
  pool: {
    max: 5,
    min: 0,
    idle: 10000
  },
})

Loading

@alanpurple
Copy link

@alanpurple alanpurple commented Oct 9, 2017

@andy1028 thanks, this solves mine

and to Sequelizers, why operatorAliases: Sequelize.Op is not default? though "without it" is deprecated

Loading

@ghost
Copy link

@ghost ghost commented Oct 9, 2017

for compatibility history release

Loading

@charlierudolph
Copy link

@charlierudolph charlierudolph commented Oct 9, 2017

I'm experience this as reported by @danpantry that using findById appears to trigger this warning. Should that be extracted to its own issue?

Loading

@createthis
Copy link

@createthis createthis commented Oct 12, 2017

Here is what this looks like if you use sequelize-cli and config.js or config.json:

const Sequelize = require("sequelize");
module.exports = { 
  development: {
    dialect: "sqlite",
    storage: "./db.development.sqlite",
    seederStorage: "sequelize",
    operatorsAliases: Sequelize.Op,
    /* "logging": console.log, */
  },  
  test: {
    dialect: "sqlite",
    storage: "./db.test.sqlite",
    operatorsAliases: Sequelize.Op,
    logging: false
  },  
  production: {
    dialect: "sqlite",
    storage: "./db.production.sqlite",
    seederStorage: "sequelize",
    operatorsAliases: Sequelize.Op,
    /* "logging": console.log, */
  }
}

Loading

@grantcarthew
Copy link
Contributor

@grantcarthew grantcarthew commented Oct 19, 2017

Please add operatorsAliases: Sequelize.Op to the beginner tutorial.
http://docs.sequelizejs.com/manual/installation/getting-started.html

Your getting started document shouldn't cause a deprecation warning.

I'm just starting to learn sequelize. First 11 lines of code and I am searching issues???

Loading

@Laurensdc
Copy link
Contributor

@Laurensdc Laurensdc commented Oct 30, 2017

Could somebody please provide an example of a where query with a symbolic operator?
I only find examples of the $or syntax, and the documentation is too limited.

I've brute forced all possible syntax variations I can think of, and can't get it to work.
I'm getting "Invalid value: {}" or my operators are completely ignored.
Been trying to simply get an OR clause to work for over an hour now...

Loading

@jimrand1
Copy link

@jimrand1 jimrand1 commented Nov 2, 2017

I'm learning this as well. Working my way through "Node.js Web Development". Page 179, added "operatorsAliases: Sequelize.Op" to the YAML configuration file. Page 175, added "const Op = Sequelize.Op;" to the models/notes-sequelize.js file. Then, in each find line changed

return SQNote.find({ where: {notekey: key }})

to

return SQNote.find({ where: {notekey: { [Op.eq]: key } }})

Coming from the Microsoft world with SQL command parameters, this appears to be a good way to avoid SQL injection attacks.

I'm just guessing that the above is the suggested solution.

Loading

@yonjah
Copy link
Contributor

@yonjah yonjah commented Nov 3, 2017

@andy1028 @alanpurple please don't use the @andy1028 mentioned code.
Sequelize.Op is very different to the normal aliases being used by sequlize. it will cause your setup to behave in an unexpected manner introduce security issues and it probably not what you want any way.
Since your not using aliases you can probably just set aliases to false -

const sequelize = new Sequelize('test', 'test', 'pass1234', {
  host: '127.0.0.1',
  dialect: 'mysql',
  operatorsAliases: false, // disable aliases
  pool: {
    max: 5,
    min: 0,
    idle: 10000
  },
})

If you do want to use aliases please follow the suggestion in the documentation -

const Op = Sequelize.Op;
const operatorsAliases = {
  $eq: Op.eq,
  $ne: Op.ne,
  $gte: Op.gte,
  $gt: Op.gt,
  ...
};

const connection = new Sequelize(db, user, pass, { operatorsAliases });

It might look long but this enables ALL previously existing aliases. You can remove the ones you don't use from the operatorsAliases. for example if you only want to use '$gt' -

const operatorsAliases = {
  $gt: Sequelize.Op.gt
};
const connection = new Sequelize(db, user, pass, { operatorsAliases });

@Laurensdc you can see more examples in http://docs.sequelizejs.com/manual/tutorial/querying.html#basics

const Op = Sequelize.Op;

Post.findAll({
  where: {
    [Op.or]: [{authorId: 1}, {authorId: 2}]
  }
});

@krishangupta @danpantry Even if you don't use aliases in your code Sequelize enables them by default. This warning is especially intended to users like you who were never aware this aliases are enabled and weren't using them. Now you are aware of them and can disable them.

The only reason they are not disabled by default is that it will be a breaking change so will only happen on v5 but since there are minor security issues by enabling aliases and not properly sanitizing them (and it is impossible to sanitize aliases you are not aware of) we opt in to adding the warning on current version. You can ignore this warning if you really want to and sequelize will work exactly the same but you probably shouldn't.

We tried to explain the reason for aliases and this warning as best as we could but documentation can always be improved and if you have any suggestions a pull request will be appreciated

Loading

@jimrand1
Copy link

@jimrand1 jimrand1 commented Nov 3, 2017

Is my assumption correct that Sequelize.Op sanitizes user input to avoid SQL injection attacks?

Assuming in the example above with the authorID, the user passes in two alternatives. Instead of hard coded values of 1 or 2, the ids are stored in variables id1 and id2. Should the query then be:

Post.findAll({
where: {
[Op.or]: [{authorId: { [Op.eq]: id1 }}, {authorId: { [Op.eq]: id2 }}]
}
});

Loading

@yonjah
Copy link
Contributor

@yonjah yonjah commented Nov 3, 2017

@jimrand1 You are correct that this change was done to reduce the chance of injections.
The query you mentioned should work as well. but you don't have to use the Op.eq there since it will be the operator used in this case anyway.

So if you never used operators before ('$eq', '$or', '$gt' etc... ) you don't need to use the equivalent Op.### now and you can use Sequelize exactly as you used before.

But you should be aware that even if you were not using them they can still be injected so unless you disable them or explicitly select the ones you want to use you'll see this warning

Loading

@Laurensdc
Copy link
Contributor

@Laurensdc Laurensdc commented Nov 7, 2017

@yonjah Thank you so much!

I don't even know what I was doing wrong at this point, but I've got my queries working with proper symbolic operators.

I find the docs to be a tad too minimalistic on this part, since most examples are under 'Combinations', and are quite confusing in my opinion.

Old:

BComponent.findAll({
    where: {
        type: {
            $or: [req.body.type, 'B']
        }
    },
})

New option 1 that's working:

BComponent.findAll({
    where: {
        [Op.or]: [{type: req.body.type}, {type: 'B'}]
    },
})

New option 2 that's working:

BComponent.findAll({
    where: {
        type: {
            [Op.or]: [req.body.type, 'B']
        }
    },
})

Cheers!

Loading

@Restuta
Copy link

@Restuta Restuta commented Mar 31, 2019

This TL;DR should be in the original description, saves so much time @krishangupta

Loading

@bradennapier
Copy link

@bradennapier bradennapier commented Apr 6, 2019

As far as I can tell, all this information is incorrect now?

  1. Settings operatorsAliases to false produces an error that it is a no-op
(node:23934) [SEQUELIZE0004] DeprecationWarning: A boolean value was passed to options.operatorsAliases. This is a no-op with v5 and should be removed.
  1. Settings operatorsAliases to the recommended for aliasing will still produce a warning (as shown in documentation)
const Op = Sequelize.Op;
const operatorsAliases = {
  $eq: Op.eq,
  $ne: Op.ne,
  $gte: Op.gte,
  $gt: Op.gt,
  $lte: Op.lte,
  $lt: Op.lt,
  $not: Op.not,
  $in: Op.in,
  $notIn: Op.notIn,
  $is: Op.is,
  $like: Op.like,
  $notLike: Op.notLike,
  $iLike: Op.iLike,
  $notILike: Op.notILike,
  $regexp: Op.regexp,
  $notRegexp: Op.notRegexp,
  $iRegexp: Op.iRegexp,
  $notIRegexp: Op.notIRegexp,
  $between: Op.between,
  $notBetween: Op.notBetween,
  $overlap: Op.overlap,
  $contains: Op.contains,
  $contained: Op.contained,
  $adjacent: Op.adjacent,
  $strictLeft: Op.strictLeft,
  $strictRight: Op.strictRight,
  $noExtendRight: Op.noExtendRight,
  $noExtendLeft: Op.noExtendLeft,
  $and: Op.and,
  $or: Op.or,
  $any: Op.any,
  $all: Op.all,
  $values: Op.values,
  $col: Op.col
};

const connection = new Sequelize(db, user, pass, { operatorsAliases });

Will produce the warning

(node:23711) [SEQUELIZE0003] DeprecationWarning: String based operators are deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/querying.html#operators

even though the linked docs clearly indicate:

Sequelize will warn you if you're using the default aliases and not limiting them if you want to keep using all default aliases (excluding legacy ones) without the warning you can pass the following operatorsAliases option -

A bit of a mess here, understandable its a bit of a confusing transition but sucks there seems to be no way to transition smoothly without those warnings showing up everywhere and worrying various engineers when they run into it.

In our case, we have a lib that handles Sequelize versions 3-5 as we transition libraries to use the latest. It appears impossible at this point to not get warnings on all our applications.


This may be due to v5 being used in this test scenario, but the documentation for v5 should then reflect that this option is no longer allowed in any way and the warning will always show if that option is ever defined at all.

Loading

@SystemDisc
Copy link

@SystemDisc SystemDisc commented Apr 7, 2019

@bradennapier This thread relates to v4. In v4, set operatorsAliases to false. In v5, do not set operatorsAliases unless you have a very specific use case and you understand the original vulnerability: #7310

Please, would you mind removing the snippet you posted regarding setting up string-based operators? I feel it will confuse new users to sequelize and/or users who have not seen this thread before. In your second bullet, where you use the word "recommended", it is very misleading. Everyone is strongly urged to NOT use string-based operators and to not define their own aliases - it'll be safer for you, especially if you do not fully understand the original vulnerability or how operatorsAliases works.

By the way, "This is a no-op with v5 and should be removed." has the same meaning as the sentence "This does nothing in v5 and should be removed."

To anyone confused, please read this TL;DR: #8417 (comment)
I've updated that post to include information regarding v5.

Loading

n-parasochka pushed a commit to n-parasochka/react-starter-kit that referenced this issue Apr 29, 2019
 * chore: Update packages 
 * fix: "Deprecation warning for String based operators" sequelize/sequelize#8417
@plinioaltoe
Copy link

@plinioaltoe plinioaltoe commented May 6, 2019

I just did this: operatorsAliases: "false"

Put "false" as string and not bool. It worked for me

Loading

@SystemDisc
Copy link

@SystemDisc SystemDisc commented May 6, 2019

@plinioaltoe You should be setting operatorsAliases: false (boolean false) in v4 and not setting it at all in v5+

Loading

@eoknait
Copy link

@eoknait eoknait commented Dec 23, 2019

I did everything according to the instructions and I have a 404 error. I downloaded the project from github, I also have a 404 error for each address. only localhost: 3000,

Express works

Welcome to Express

Loading

@dehypnosis
Copy link

@dehypnosis dehypnosis commented Jan 10, 2020

For my system, query payloads with complex operators are transferred from my internal services which means payloads are serialized as text based packet and then unserialized again to JSON which will be parsed as sequelize find options / where attribute.

So I really need this string based operator aliases feature. And hope this feature shall not be deprecated.. ever. I really don't wanna dig into complex payload and map string aliases to symbol operators.

Also I cannot turn this deprecation warning off.
For now.. for someone like me.

// tslint:disable-next-line:no-var-requires
require("sequelize/lib/utils/deprecations").noStringOperators = () => {};

Loading

@papb papb removed the question label Jan 17, 2020
hyochan added a commit to dooboolab/hackatalk-server that referenced this issue Jan 27, 2020
* Improve users query
   - includeUser and filter users by arguments.
* Remove operatorsAliases in sequelize for security issue
   - sequelize/sequelize#8417
* More implementations on notification and channel resolvers
* Update subscription senario for FriendSub
* Add friendChanged subscription
@francodoshii
Copy link

@francodoshii francodoshii commented Feb 19, 2020

I tried to use

const Op = Sequelize.Op;
const operatorsAliases = {...}

following this http://docs.sequelizejs.com/manual/tutorial/querying.html#operators-aliases
However I got error:
Invalid value [object Object]
when this code below run:

let options = {where: {}, raw: true};
...
options.where.name = {$ilike: `%${filters.name}%`};
options.where.duration = filters.duration;
...
Banners.findAndCountAll(options);

Before update operatorsAliases, everything works fine.
How can I fix this?

Experiencing the same issue, were you able to solve this?

Loading

piglovesyou added a commit to kriasoft/react-starter-kit that referenced this issue Feb 24, 2020
* Update to webpack-assets-manifest v3.0.0 (#1594)

* Update packages (#1595)

 * chore: Update packages 
 * fix: "Deprecation warning for String based operators" sequelize/sequelize#8417

* Let Yarn handle package.json formatting, not lint-staged (#1614)

* Upgrade dependencies for Node v10 compatibility (#1613)

* Enable Yarn caching on Travis (#1629)

See https://docs.travis-ci.com/user/languages/javascript-with-nodejs/#Caching-with-yarn

* Remove unused dependency core-js (#1631)

It was added in 79e5575 to work around an npm issue,
but we instead use yarn as of 78868e6.

* Remove unused dependency bluebird (#1630)

It looks like we stopped using it in 1ed83b6 (#1237).

* Upgrade packages (#1637)

* chore: upgrade packages

* chore: make babel and jest working after upgrade

* Updated tests from Mocha and Chai to Jest (#1624)

* Updated from Mocha to Jest

Still need to update React-intl

* modified tests to jest instead of mocha and chai

* left react-intl example the same due to yarn eval

* Sets NODE_ENV environment var to `production` when building docker image. (#1173)

* Add a line linked to `feature/apollo-pure` branch

* small README.md grammar change (#1675)

* Upgrade all dependencies including Babel 7 (#1673)

* Upgrade all dependencies including Babel 7

1. ncu --upgradeAll
4. Leave "graphql" to be "^13.2.0" that apollo packages depend on
2. Apply patch of "npx babel-upgrade" output
3. Leave only necessary babel plugins
4. Pass "yarn fix" by disabling stricter rules

fixes #1654 #1626 #1607

* Also ignore babel config file from webpack.config.js

* remove mocha form docs (getting started) (#1729)

* fix: support Node 12 (#1730)

* Update sqlite3
* Add Ci builds against the latest active LTS (10)

* Fix styles error in Home.css and deprecation warnings (#1726)

* Fix styles error in Home.css

* Fix deprecation warnings

* Introduce PostCSS Preset Env (#1733)

Fixes #1731

* Change node from 6.5 to 6.9 on README (#1735)

* fix: change node from 6.5 to 6.9

* fix: change node 6.5 -> 6.9 on getting-started

* describe TypeScript integration in readme (#1745)

* Update PR link to feature/apollo-pure (#1748)

* Bump sequelize from 4.38.1 to 5.15.1 (#1751)

Bumps [sequelize](https://github.com/sequelize/sequelize) from 4.38.1 to 5.15.1.
- [Release notes](https://github.com/sequelize/sequelize/releases)
- [Commits](sequelize/sequelize@v4.38.1...v5.15.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Upgrade react, react-dom and isomorphic-style-loader (#1759)

* yarn add react@latest react-dom@latest

* yarn add isomorphic-style-loader@latest

* git cherry-pick 812d8ac

With respect I used @mglace 's react-starter-kit folk

* change deps versions (adopted higher ones)
* include minimum change of react-style-guide.md

Fixes #1715

* fix: update react-test-renderer too

* Bump webpack-bundle-analyzer from 3.0.2 to 3.3.2 (#1752)

Bumps [webpack-bundle-analyzer](https://github.com/webpack-contrib/webpack-bundle-analyzer) from 3.0.2 to 3.3.2.
- [Release notes](https://github.com/webpack-contrib/webpack-bundle-analyzer/releases)
- [Changelog](https://github.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/webpack-bundle-analyzer@v3.0.2...v3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump merge from 1.2.0 to 1.2.1 (#1753)

Bumps [merge](https://github.com/yeikos/js.merge) from 1.2.0 to 1.2.1.
- [Release notes](https://github.com/yeikos/js.merge/releases)
- [Commits](yeikos/js.merge@v1.2.0...v1.2.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump handlebars from 4.0.11 to 4.5.1 (#1754)

Bumps [handlebars](https://github.com/wycats/handlebars.js) from 4.0.11 to 4.5.1.
- [Release notes](https://github.com/wycats/handlebars.js/releases)
- [Changelog](https://github.com/wycats/handlebars.js/blob/v4.5.1/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.0.11...v4.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump mixin-deep from 1.3.1 to 1.3.2 (#1755)

Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](jonschlinkert/mixin-deep@1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump eslint-utils from 1.3.1 to 1.4.3 (#1756)

Bumps [eslint-utils](https://github.com/mysticatea/eslint-utils) from 1.3.1 to 1.4.3.
- [Release notes](https://github.com/mysticatea/eslint-utils/releases)
- [Commits](mysticatea/eslint-utils@v1.3.1...v1.4.3)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump url-parse from 1.4.1 to 1.4.7 (#1757)

Bumps [url-parse](https://github.com/unshiftio/url-parse) from 1.4.1 to 1.4.7.
- [Release notes](https://github.com/unshiftio/url-parse/releases)
- [Commits](unshiftio/url-parse@1.4.1...1.4.7)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump lodash.template from 4.4.0 to 4.5.0 (#1758)

Bumps [lodash.template](https://github.com/lodash/lodash) from 4.4.0 to 4.5.0.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.4.0...4.5.0)

Signed-off-by: dependabot[bot] <support@github.com>

* Prettier **/*.md (#1761)

```
find . -path ./node_modules -prune -o -name '*.md' | xargs yarn prettier --write
```

* Bump js-yaml from 3.12.0 to 3.13.1 (#1760)

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.12.0 to 3.13.1.
- [Release notes](https://github.com/nodeca/js-yaml/releases)
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.12.0...3.13.1)

Signed-off-by: dependabot[bot] <support@github.com>

* [Security] Bump extend from 3.0.1 to 3.0.2 (#1764)

Bumps [extend](https://github.com/justmoon/node-extend) from 3.0.1 to 3.0.2. **This update includes a security fix.**
- [Release notes](https://github.com/justmoon/node-extend/releases)
- [Changelog](https://github.com/justmoon/node-extend/blob/master/CHANGELOG.md)
- [Commits](justmoon/node-extend@v3.0.1...v3.0.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Stop supporting Node v6 (#1769)

* [Node v6 has already ended being maintained by April 2019](https://nodejs.org/en/blog/release/v6.9.0/)
* Add v12 to support all versions of v8+
* Some dependencies stops supporting Node v6
    * [eslint-loader](https://travis-ci.org/kriasoft/react-starter-kit/builds/606828978?utm_source=github_status&utm_medium=notification)
    * [lint-staged](https://travis-ci.org/kriasoft/react-starter-kit/builds/606829247?utm_source=github_status&utm_medium=notification)
* By the end of 2019, v8 ends by the way

* Bump body-parser from 1.18.3 to 1.19.0 (#1763)

Bumps [body-parser](https://github.com/expressjs/body-parser) from 1.18.3 to 1.19.0.
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.18.3...1.19.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump eslint-loader from 2.1.1 to 3.0.2 (#1765)

Bumps [eslint-loader](https://github.com/webpack-contrib/eslint-loader) from 2.1.1 to 3.0.2.
- [Release notes](https://github.com/webpack-contrib/eslint-loader/releases)
- [Changelog](https://github.com/webpack-contrib/eslint-loader/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/eslint-loader@2.1.1...v3.0.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump sequelize from 5.15.1 to 5.21.2 (#1766)

Bumps [sequelize](https://github.com/sequelize/sequelize) from 5.15.1 to 5.21.2.
- [Release notes](https://github.com/sequelize/sequelize/releases)
- [Commits](sequelize/sequelize@v5.15.1...v5.21.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump lint-staged from 7.3.0 to 9.4.2 (#1767)

* Bump lint-staged from 7.3.0 to 9.4.2

Bumps [lint-staged](https://github.com/okonet/lint-staged) from 7.3.0 to 9.4.2.
- [Release notes](https://github.com/okonet/lint-staged/releases)
- [Commits](okonet/lint-staged@v7.3.0...v9.4.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* yarn fix with the new lint-staged

* Bump jest from 23.6.0 to 24.9.0 (#1768)

Bumps [jest](https://github.com/facebook/jest) from 23.6.0 to 24.9.0.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](facebook/jest@v23.6.0...v24.9.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump file-loader from 2.0.0 to 4.2.0 (#1771)

Bumps [file-loader](https://github.com/webpack-contrib/file-loader) from 2.0.0 to 4.2.0.
- [Release notes](https://github.com/webpack-contrib/file-loader/releases)
- [Changelog](https://github.com/webpack-contrib/file-loader/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/file-loader@v2.0.0...v4.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump rimraf from 2.7.1 to 3.0.0 (#1773)

Bumps [rimraf](https://github.com/isaacs/rimraf) from 2.7.1 to 3.0.0.
- [Release notes](https://github.com/isaacs/rimraf/releases)
- [Changelog](https://github.com/isaacs/rimraf/blob/master/CHANGELOG.md)
- [Commits](isaacs/rimraf@v2.7.1...v3.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump raw-loader from 0.5.1 to 3.1.0 (#1772)

Bumps [raw-loader](https://github.com/webpack-contrib/raw-loader) from 0.5.1 to 3.1.0.
- [Release notes](https://github.com/webpack-contrib/raw-loader/releases)
- [Changelog](https://github.com/webpack-contrib/raw-loader/blob/master/CHANGELOG.md)
- [Commits](https://github.com/webpack-contrib/raw-loader/commits/v3.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump css-loader from 1.0.1 to 3.2.0 (#1774)

* Bump css-loader from 1.0.1 to 3.2.0

Bumps [css-loader](https://github.com/webpack-contrib/css-loader) from 1.0.1 to 3.2.0.
- [Release notes](https://github.com/webpack-contrib/css-loader/releases)
- [Changelog](https://github.com/webpack-contrib/css-loader/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/css-loader@v1.0.1...v3.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Update css-loader option structure

* Use cssnano inside of the postcss-loader options

* Bump front-matter from 2.3.0 to 3.0.2 (#1775)

Bumps [front-matter](https://github.com/jxson/front-matter) from 2.3.0 to 3.0.2.
- [Release notes](https://github.com/jxson/front-matter/releases)
- [Commits](jxson/front-matter@v2.3.0...v3.0.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump markdown-it from 8.4.2 to 10.0.0 (#1776)

Bumps [markdown-it](https://github.com/markdown-it/markdown-it) from 8.4.2 to 10.0.0.
- [Release notes](https://github.com/markdown-it/markdown-it/releases)
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@8.4.2...10.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump stylelint-order from 1.0.0 to 2.2.1 (#1777)

Bumps [stylelint-order](https://github.com/hudochenkov/stylelint-order) from 1.0.0 to 2.2.1.
- [Release notes](https://github.com/hudochenkov/stylelint-order/releases)
- [Changelog](https://github.com/hudochenkov/stylelint-order/blob/master/CHANGELOG.md)
- [Commits](hudochenkov/stylelint-order@1.0.0...2.2.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump eslint-plugin-prettier from 2.7.0 to 3.1.1 (#1778)

Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 2.7.0 to 3.1.1.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](prettier/eslint-plugin-prettier@v2.7.0...v3.1.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump husky from 1.3.1 to 3.0.9 (#1779)

Bumps [husky](https://github.com/typicode/husky) from 1.3.1 to 3.0.9.
- [Release notes](https://github.com/typicode/husky/releases)
- [Changelog](https://github.com/typicode/husky/blob/master/CHANGELOG.md)
- [Commits](typicode/husky@v1.3.1...v3.0.9)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump eslint-config-prettier from 3.6.0 to 6.5.0 (#1780)

Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 3.6.0 to 6.5.0.
- [Release notes](https://github.com/prettier/eslint-config-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-config-prettier/blob/master/CHANGELOG.md)
- [Commits](prettier/eslint-config-prettier@v3.6.0...v6.5.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump serialize-javascript from 1.9.1 to 2.1.0 (#1781)

Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 1.9.1 to 2.1.0.
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v1.9.1...v2.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump @babel/preset-env from 7.6.3 to 7.7.1 (#1782)

Bumps [@babel/preset-env](https://github.com/babel/babel) from 7.6.3 to 7.7.1.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.6.3...v7.7.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump babel-jest from 23.6.0 to 24.9.0 (#1783)

Bumps [babel-jest](https://github.com/facebook/jest/tree/HEAD/packages/babel-jest) from 23.6.0 to 24.9.0.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](https://github.com/facebook/jest/commits/v24.9.0/packages/babel-jest)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump flow-bin from 0.81.0 to 0.111.3 (#1784)

Bumps [flow-bin](https://github.com/flowtype/flow-bin) from 0.81.0 to 0.111.3.
- [Release notes](https://github.com/flowtype/flow-bin/releases)
- [Commits](flowtype/flow-bin@v0.81.0...v0.111.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump passport-facebook from 2.1.1 to 3.0.0 (#1785)

Bumps [passport-facebook](https://github.com/jaredhanson/passport-facebook) from 2.1.1 to 3.0.0.
- [Release notes](https://github.com/jaredhanson/passport-facebook/releases)
- [Commits](jaredhanson/passport-facebook@v2.1.1...v3.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump svg-url-loader from 2.3.3 to 3.0.2 (#1786)

Bumps [svg-url-loader](https://github.com/bhovhannes/svg-url-loader) from 2.3.3 to 3.0.2.
- [Release notes](https://github.com/bhovhannes/svg-url-loader/releases)
- [Commits](bhovhannes/svg-url-loader@v2.3.3...v3.0.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump @babel/node from 7.6.3 to 7.7.0 (#1787)

Bumps [@babel/node](https://github.com/babel/babel) from 7.6.3 to 7.7.0.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.6.3...v7.7.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump eslint-plugin-flowtype from 2.50.3 to 3.13.0 (#1788)

Bumps [eslint-plugin-flowtype](https://github.com/gajus/eslint-plugin-flowtype) from 2.50.3 to 3.13.0.
- [Release notes](https://github.com/gajus/eslint-plugin-flowtype/releases)
- [Commits](gajus/eslint-plugin-flowtype@v2.50.3...v3.13.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump null-loader from 0.1.1 to 3.0.0 (#1789)

Bumps [null-loader](https://github.com/webpack-contrib/null-loader) from 0.1.1 to 3.0.0.
- [Release notes](https://github.com/webpack-contrib/null-loader/releases)
- [Changelog](https://github.com/webpack-contrib/null-loader/blob/master/CHANGELOG.md)
- [Commits](https://github.com/webpack-contrib/null-loader/commits/v3.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump react-error-overlay from 4.0.1 to 6.0.3 (#1790)

Bumps [react-error-overlay](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-error-overlay) from 4.0.1 to 6.0.3.
- [Release notes](https://github.com/facebook/create-react-app/releases)
- [Changelog](https://github.com/facebook/create-react-app/blob/master/CHANGELOG-1.x.md)
- [Commits](https://github.com/facebook/create-react-app/commits/react-error-overlay@6.0.3/packages/react-error-overlay)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump @babel/core from 7.6.4 to 7.7.2 (#1792)

Bumps [@babel/core](https://github.com/babel/babel) from 7.6.4 to 7.7.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.6.4...v7.7.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump opn-cli from 3.1.0 to 5.0.0 (#1793)

Bumps [opn-cli](https://github.com/sindresorhus/open-cli) from 3.1.0 to 5.0.0.
- [Release notes](https://github.com/sindresorhus/open-cli/releases)
- [Commits](sindresorhus/open-cli@v3.1.0...v5.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump @babel/plugin-proposal-class-properties from 7.5.5 to 7.7.0 (#1794)

Bumps [@babel/plugin-proposal-class-properties](https://github.com/babel/babel) from 7.5.5 to 7.7.0.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.5.5...v7.7.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump express-graphql from 0.6.12 to 0.8.0 (#1795)

Bumps [express-graphql](https://github.com/graphql/express-graphql) from 0.6.12 to 0.8.0.
- [Release notes](https://github.com/graphql/express-graphql/releases)
- [Commits](graphql/express-graphql@v0.6.12...v0.8.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump @babel/polyfill from 7.6.0 to 7.7.0 (#1796)

Bumps [@babel/polyfill](https://github.com/babel/babel) from 7.6.0 to 7.7.0.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.6.0...v7.7.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump stylelint from 9.10.1 to 10.1.0 (#1798)

Bumps [stylelint](https://github.com/stylelint/stylelint) from 9.10.1 to 10.1.0.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](stylelint/stylelint@9.10.1...10.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump @babel/preset-react from 7.6.3 to 7.7.0 (#1799)

Bumps [@babel/preset-react](https://github.com/babel/babel) from 7.6.3 to 7.7.0.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.6.3...v7.7.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump pixrem from 4.0.1 to 5.0.0 (#1800)

Bumps [pixrem](https://github.com/robwierzbowski/node-pixrem) from 4.0.1 to 5.0.0.
- [Release notes](https://github.com/robwierzbowski/node-pixrem/releases)
- [Changelog](https://github.com/robwierzbowski/node-pixrem/blob/master/CHANGELOG.md)
- [Commits](https://github.com/robwierzbowski/node-pixrem/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump chokidar from 2.1.8 to 3.3.0 (#1801)

Bumps [chokidar](https://github.com/paulmillr/chokidar) from 2.1.8 to 3.3.0.
- [Release notes](https://github.com/paulmillr/chokidar/releases)
- [Commits](https://github.com/paulmillr/chokidar/commits/3.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump prettier from 1.18.2 to 1.19.1 (#1802)

Bumps [prettier](https://github.com/prettier/prettier) from 1.18.2 to 1.19.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/master/CHANGELOG.md)
- [Commits](prettier/prettier@1.18.2...1.19.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Use Function Components and Hooks (#1797)

* Use function component and hooks

* update docs

* Bump url-loader from 1.1.2 to 2.2.0 (#1805)

Bumps [url-loader](https://github.com/webpack-contrib/url-loader) from 1.1.2 to 2.2.0.
- [Release notes](https://github.com/webpack-contrib/url-loader/releases)
- [Changelog](https://github.com/webpack-contrib/url-loader/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/url-loader@v1.1.2...v2.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump universal-router from 6.0.0 to 8.3.0 (#1807)

Bumps [universal-router](https://github.com/kriasoft/universal-router) from 6.0.0 to 8.3.0.
- [Release notes](https://github.com/kriasoft/universal-router/releases)
- [Changelog](https://github.com/kriasoft/universal-router/blob/master/CHANGELOG.md)
- [Commits](kriasoft/universal-router@v6.0.0...v8.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump glob from 7.1.5 to 7.1.6 (#1809)

Bumps [glob](https://github.com/isaacs/node-glob) from 7.1.5 to 7.1.6.
- [Release notes](https://github.com/isaacs/node-glob/releases)
- [Changelog](https://github.com/isaacs/node-glob/blob/master/changelog.md)
- [Commits](isaacs/node-glob@v7.1.5...v7.1.6)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump stylelint-config-standard from 18.3.0 to 19.0.0 (#1806)

Bumps [stylelint-config-standard](https://github.com/stylelint/stylelint-config-standard) from 18.3.0 to 19.0.0.
- [Release notes](https://github.com/stylelint/stylelint-config-standard/releases)
- [Changelog](https://github.com/stylelint/stylelint-config-standard/blob/master/CHANGELOG.md)
- [Commits](stylelint/stylelint-config-standard@18.3.0...19.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump stylelint-order from 2.2.1 to 3.1.1 (#1808)

Bumps [stylelint-order](https://github.com/hudochenkov/stylelint-order) from 2.2.1 to 3.1.1.
- [Release notes](https://github.com/hudochenkov/stylelint-order/releases)
- [Changelog](https://github.com/hudochenkov/stylelint-order/blob/master/CHANGELOG.md)
- [Commits](hudochenkov/stylelint-order@2.2.1...3.1.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump stylelint from 10.1.0 to 11.1.1 (#1810)

Bumps [stylelint](https://github.com/stylelint/stylelint) from 10.1.0 to 11.1.1.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](stylelint/stylelint@10.1.0...11.1.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump flow-bin from 0.111.3 to 0.112.0 (#1811)

Bumps [flow-bin](https://github.com/flowtype/flow-bin) from 0.111.3 to 0.112.0.
- [Release notes](https://github.com/flowtype/flow-bin/releases)
- [Commits](flowtype/flow-bin@v0.111.3...v0.112.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump react-dev-utils from 5.0.3 to 9.1.0 (#1812)

Bumps [react-dev-utils](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-dev-utils) from 5.0.3 to 9.1.0.
- [Release notes](https://github.com/facebook/create-react-app/releases)
- [Changelog](https://github.com/facebook/create-react-app/blob/master/CHANGELOG-1.x.md)
- [Commits](https://github.com/facebook/create-react-app/commits/react-dev-utils@9.1.0/packages/react-dev-utils)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump postcss-calc from 6.0.2 to 7.0.1 (#1813)

Bumps [postcss-calc](https://github.com/postcss/postcss-calc) from 6.0.2 to 7.0.1.
- [Release notes](https://github.com/postcss/postcss-calc/releases)
- [Changelog](https://github.com/postcss/postcss-calc/blob/master/CHANGELOG.md)
- [Commits](postcss/postcss-calc@6.0.2...7.0.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump babel-eslint from 9.0.0 to 10.0.3 (#1814)

Bumps [babel-eslint](https://github.com/babel/babel-eslint) from 9.0.0 to 10.0.3.
- [Release notes](https://github.com/babel/babel-eslint/releases)
- [Commits](babel/babel-eslint@v9.0.0...v10.0.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump graphql from 0.13.2 to 14.5.8 (#1815)

Bumps [graphql](https://github.com/graphql/graphql-js) from 0.13.2 to 14.5.8.
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v0.13.2...v14.5.8)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump lint-staged from 9.4.2 to 9.4.3 (#1816)

Bumps [lint-staged](https://github.com/okonet/lint-staged) from 9.4.2 to 9.4.3.
- [Release notes](https://github.com/okonet/lint-staged/releases)
- [Commits](okonet/lint-staged@v9.4.2...v9.4.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump query-string from 6.8.3 to 6.9.0 (#1817)

Bumps [query-string](https://github.com/sindresorhus/query-string) from 6.8.3 to 6.9.0.
- [Release notes](https://github.com/sindresorhus/query-string/releases)
- [Commits](sindresorhus/query-string@v6.8.3...v6.9.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump express-graphql from 0.8.0 to 0.9.0 (#1818)

Bumps [express-graphql](https://github.com/graphql/express-graphql) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/graphql/express-graphql/releases)
- [Commits](graphql/express-graphql@v0.8.0...v0.9.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump react-dom from 16.11.0 to 16.12.0 (#1819)

Bumps [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) from 16.11.0 to 16.12.0.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/master/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v16.12.0/packages/react-dom)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump react from 16.11.0 to 16.12.0 (#1820)

Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) from 16.11.0 to 16.12.0.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/master/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v16.12.0/packages/react)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump react-test-renderer from 16.11.0 to 16.12.0 (#1821)

Bumps [react-test-renderer](https://github.com/facebook/react/tree/HEAD/packages/react-test-renderer) from 16.11.0 to 16.12.0.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/master/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v16.12.0/packages/react-test-renderer)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Test "yarn start" (#1828)

* mod: Use execa

* mod: Connect IO to the front process by default

* Test "yarn start"

* "starts GraphiQL" should fail. Should downgrade express-graphql to 0.8.9.

* Downgrade express-graphql for quick fix for #1822

* chore(deps-dev): bump husky from 3.0.9 to 3.1.0 (#1824)

Bumps [husky](https://github.com/typicode/husky) from 3.0.9 to 3.1.0.
- [Release notes](https://github.com/typicode/husky/releases)
- [Changelog](https://github.com/typicode/husky/blob/master/CHANGELOG.md)
- [Commits](typicode/husky@v3.0.9...v3.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump eslint-config-prettier from 6.5.0 to 6.6.0 (#1826)

Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 6.5.0 to 6.6.0.
- [Release notes](https://github.com/prettier/eslint-config-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-config-prettier/blob/master/CHANGELOG.md)
- [Commits](prettier/eslint-config-prettier@v6.5.0...v6.6.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump postcss from 7.0.21 to 7.0.23 (#1827)

Bumps [postcss](https://github.com/postcss/postcss) from 7.0.21 to 7.0.23.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/master/CHANGELOG.md)
- [Commits](postcss/postcss@7.0.21...7.0.23)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump stylelint from 11.1.1 to 12.0.0 (#1825)

Bumps [stylelint](https://github.com/stylelint/stylelint) from 11.1.1 to 12.0.0.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](stylelint/stylelint@11.1.1...12.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Update getting-started.md (#1829)

From Yarn 1.0 onwards, scripts don't require "--" for options to be forwarded

* chore(deps-dev): bump @babel/preset-env from 7.7.1 to 7.7.4 (#1832)

Bumps [@babel/preset-env](https://github.com/babel/babel) from 7.7.1 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.7.1...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump @babel/core from 7.7.2 to 7.7.4 (#1831)

Bumps [@babel/core](https://github.com/babel/babel) from 7.7.2 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.7.2...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump @babel/preset-flow from 7.0.0 to 7.7.4 (#1833)

Bumps [@babel/preset-flow](https://github.com/babel/babel) from 7.0.0 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.0.0...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump @babel/preset-react from 7.7.0 to 7.7.4 (#1834)

Bumps [@babel/preset-react](https://github.com/babel/babel) from 7.7.0 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.7.0...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump @babel/node from 7.7.0 to 7.7.4 (#1837)

Bumps [@babel/node](https://github.com/babel/babel) from 7.7.0 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.7.0...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump @babel/plugin-transform-react-inline-elements (#1836)

Bumps [@babel/plugin-transform-react-inline-elements](https://github.com/babel/babel) from 7.2.0 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.2.0...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump eslint-config-prettier from 6.6.0 to 6.7.0 (#1830)

Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 6.6.0 to 6.7.0.
- [Release notes](https://github.com/prettier/eslint-config-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-config-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-config-prettier/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump @babel/plugin-proposal-class-properties (#1838)

Bumps [@babel/plugin-proposal-class-properties](https://github.com/babel/babel) from 7.7.0 to 7.7.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.7.0...v7.7.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* chore(deps-dev): bump url-loader from 2.2.0 to 2.3.0 (#1839)

Bumps [url-loader](https://github.com/webpack-contrib/url-loader) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/webpack-contrib/url-loader/releases)
- [Changelog](https://github.com/webpack-contrib/url-loader/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/url-loader@v2.2.0...v2.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Use test-watch instead of test:watch (#1851)

According to the read me it should go:

yarn run test-watch             # Run unit tests in watch mode

* chore(deps): [security] bump serialize-javascript from 2.1.0 to 2.1.1 (#1866)

Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 2.1.0 to 2.1.1. **This update includes a security fix.**
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v2.1.0...v2.1.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Update Dockerfile (#1870)

* Update node base image to 8.16.2

Update node alpine image to fix the engine "node" incompatible error.

* Set permissions for "node" user

Fix SequelizeConnectionError: SQLITE_CANTOPEN: unable to open database file

Co-authored-by: Maksim Markelov <maks-markel@mail.ru>
Co-authored-by: Joseph Frazier <1212jtraceur@gmail.com>
Co-authored-by: Pavel Lang <langpavel@phpskelet.org>
Co-authored-by: wwendyc <wendy.changw@gmail.com>
Co-authored-by: Paweł Małolepszy <pawel.malolepszy@gmail.com>
Co-authored-by: Soichi Takamura <thepiglovesyou@gmail.com>
Co-authored-by: Ryan Whitworth <me@ryanwhitworth.com>
Co-authored-by: Agustina Chaer <aguschaer@gmail.com>
Co-authored-by: Alexey Kutalo <kutalo84@gmail.com>
Co-authored-by: Fabricio Asfora Lira <32206134+minggas@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Mаартен - Maarten <maarten@oudenniel.nl>
Co-authored-by: Milagros Gómez <milagrosggomez@gmail.com>
Co-authored-by: Tan Shuai <7anshuai@gmail.com>
@francodoshii
Copy link

@francodoshii francodoshii commented Feb 26, 2020

experiencing this issue at 5.18.4

Loading

@francodoshii
Copy link

@francodoshii francodoshii commented Feb 26, 2020

Assigned operatorsAliases with an empty array [] to not trigger the warning. We are not using operatorsAliases, will this cause an issue?
The above assignment will result to this.OperatorsAliasMap = false.

setOperatorsAliases(aliases) { if (!aliases || _.isEmpty(aliases)) { this.OperatorsAliasMap = false; } else { this.OperatorsAliasMap = Object.assign({}, aliases); } }

Loading

@francodoshii
Copy link

@francodoshii francodoshii commented Feb 26, 2020

As far as I can tell, all this information is incorrect now?

  1. Settings operatorsAliases to false produces an error that it is a no-op
(node:23934) [SEQUELIZE0004] DeprecationWarning: A boolean value was passed to options.operatorsAliases. This is a no-op with v5 and should be removed.
  1. Settings operatorsAliases to the recommended for aliasing will still produce a warning (as shown in documentation)
const Op = Sequelize.Op;
const operatorsAliases = {
  $eq: Op.eq,
  $ne: Op.ne,
  $gte: Op.gte,
  $gt: Op.gt,
  $lte: Op.lte,
  $lt: Op.lt,
  $not: Op.not,
  $in: Op.in,
  $notIn: Op.notIn,
  $is: Op.is,
  $like: Op.like,
  $notLike: Op.notLike,
  $iLike: Op.iLike,
  $notILike: Op.notILike,
  $regexp: Op.regexp,
  $notRegexp: Op.notRegexp,
  $iRegexp: Op.iRegexp,
  $notIRegexp: Op.notIRegexp,
  $between: Op.between,
  $notBetween: Op.notBetween,
  $overlap: Op.overlap,
  $contains: Op.contains,
  $contained: Op.contained,
  $adjacent: Op.adjacent,
  $strictLeft: Op.strictLeft,
  $strictRight: Op.strictRight,
  $noExtendRight: Op.noExtendRight,
  $noExtendLeft: Op.noExtendLeft,
  $and: Op.and,
  $or: Op.or,
  $any: Op.any,
  $all: Op.all,
  $values: Op.values,
  $col: Op.col
};

const connection = new Sequelize(db, user, pass, { operatorsAliases });

Will produce the warning

(node:23711) [SEQUELIZE0003] DeprecationWarning: String based operators are deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/querying.html#operators

even though the linked docs clearly indicate:

Sequelize will warn you if you're using the default aliases and not limiting them if you want to keep using all default aliases (excluding legacy ones) without the warning you can pass the following operatorsAliases option -

A bit of a mess here, understandable its a bit of a confusing transition but sucks there seems to be no way to transition smoothly without those warnings showing up everywhere and worrying various engineers when they run into it.

In our case, we have a lib that handles Sequelize versions 3-5 as we transition libraries to use the latest. It appears impossible at this point to not get warnings on all our applications.

This may be due to v5 being used in this test scenario, but the documentation for v5 should then reflect that this option is no longer allowed in any way and the warning will always show if that option is ever defined at all.

Check out my reply above. I hope it helps. If you find my workaround to be incorrect, enlighten me, thank you.

Loading

@atmanandsah
Copy link

@atmanandsah atmanandsah commented May 13, 2020

Since I upgraded to 4.13.2 I get a deprecation warning

sequelize deprecated String based operators are now deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/tutorial/querying.html#operators node_modules/sequelize/lib/sequelize.js:236:13

I do not use any string based operators, however, or any operators of any kind. I didn't even know what an operator was actually, which is why I was confused.

I can fix this by adding operatorsAliases: false when instantiating the Sequellize object as below. Should this not be the default though? Or can we have the warning and documentation more clearly state that operatorsAliases: false must be set in order to avoid the warning?


const sequelize = new Sequelize(
  config.RDS_DB_NAME,
  config.RDS_USERNAME, 
  config.RDS_PASSWORD,
  {
    host: config.RDS_HOSTNAME,
    dialect: 'mysql',
    logging: false,
    freezeTableName: true,
    operatorsAliases: false
  }
)

but can you explain why we are using operatorsAliases: false

Loading

@emarcelino3
Copy link

@emarcelino3 emarcelino3 commented May 13, 2020

I'm in Sequelize 5.21.8 version. Same issue here.

With operatorsAliases like:

const operatorsAliases = { 
  $eq: Op.eq,
  $ne: Op.ne,
  ...

It's working fine : where: {id_ativo: { [Op.notIn] : arr }
ok

It's working fine : where: {id_ativo: { $notIn : arr } (
But warning: [SEQUELIZE0003] DeprecationWarning:

Without operatorsAliases :
Anything works using operators

What am I doing wrong?

Loading

@ninsun
Copy link

@ninsun ninsun commented Dec 4, 2020

What should I do if I did not use operatorsAliases and want to filter the result using where but only can done by JSON? Like in a restful api? I parse the JSON to object by my self?
I mean, how can I use Op.gt when I can only use json, something like {"where": {"start_datetime": {"$gt": "2020-11-25"}}} ?

Loading

jamest1903 pushed a commit to MediaComem/smapshot-api that referenced this issue Jun 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet