New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: throw if where
receives an invalid value (v6)
#15699
Conversation
Quite a small change 👍 interesting that no other test failed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Why did we mark this as a breaking change, because it will throw errors on some queries now?
Yes, but I don't see a valid use case for them that would cause actual breakage I hope I won't be proved wrong |
🎉 This PR is included in version 6.28.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
With this, using
|
I am sorry but why would you wanna do |
Ah, I have a large graphql server that has helpers glueing the possible recursivity of graphql and sequelize, and in one place the code is easier to understand if returns an |
But my point was the typing tells me undefined is ok, and null is not, but reading the code, it is the opposite, undefined is not ok, and null is. |
In my opinion we should treat undefined as being equivalent to "the property was not set" and I would consider undefined throwing an error to be a regression |
I prefer |
I don't think the type definition needs to change. What we can do is update |
Understood thanks ephys, will look into it! |
@frostzt This caused regressions for us all across across 10+ repos due to undefined previously being a supported value for where. This breaks backwards compatibility and in my opinion should not be a minor version update given the semver definition. I agree that getWhereConditions should support undefined in its implementation. We do not explicitly pass undefined, but we have functions that accept filters as a parameter and it defaults to undefined, so if that function is called without any filters then undefined will be sent to sequelize. Yes, we could explicitly type-check for undefined before using them, but again given this is a breaking change I do not think it should have been a minor version release. |
@ephys with the above when I see the initial implementation of the Should we follow this and point |
That's the idea :) I'll send a PR in a minute, I'd like to get this vuln behind us quickly |
Sorry to bother anybody, but to confirm these CVEs were resolved in 6.28.1 correct? I am assuming they are also no longer present in 6.29.3 or would I be wrong in assuming that? |
That's correct :) |
Backport of #15375 to resolve CVE-2023-22579 and CVE-2023-22580