fix(deps): update dependency class-validator to v0.14.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
class-validator	0.9.1 -> 0.14.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2019-18413

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

---

Release Notes

typestack/class-validator (class-validator)

v0.14.0

Compare Source

v0.13.2

Compare Source

NOTE: This version fixes a security vulnerability allowing denial of service attacks with a specially crafted request payload.
Please update as soon as possible.

Fixed

• switched to use Array.isArray in array checks from instanceof operator

Changed

• libphonenumber-js package updated to 1.9.43 from 1.9.7
• validator package updated to 13.5.2 from 13.5.2
• various dev-dependencies updated

v0.13.1

Compare Source

Added

• optional mather function has been added to the ArrayUnique decorator

Fixed

• a typo was fixed in the error message generated by the IsUUID decorator
• calling ValidationError.toString() doesn't result in an error when forbidNonWhitelisted parameter was used
• fixed typo in error message generated by IsIn decorator
• the @types/validator package is correctly installed
• inlineSources option is enabled in tsconfig preventing various sourcemap errors when consuming the package

Changed

• various dev dependencies has been updated

v0.13.0

Compare Source

Added

• project is restructured to allow three-shaking
• added option to fail on first validation error (#​620)
• two new validator option is added:
  • always - allows setting global default for always option for decorators
  • strictGroups - ignore decorators with at least one group, when ValidatorOptions.groups is empty

v0.12.2

Compare Source

Fixed

• move tslib from peerDependencies to dependencies (827eff1), closes #​588

v0.12.1

Compare Source

Fixed

• apply only nested validator for ValidateNested multi-dimensional array (c463be5)

v0.12.0

Compare Source

Fixed

• accept negative timezone in isDateString (#​564) (2012d72), closes #​565
• apply all decorators type PropertyDecorator (#​556) (5fb36e3), closes #​555
• avoiding metadataStorage from DI (#​335) (b57fef4), closes #​328 #​261 #​132
• correct registerDecorator options argument (7909ec6), closes #​302
• IsNumberString accept isNumbericOptions as argument (62b993f), closes #​518 #​463
• optional constraints property in ValidationError (#​465) (84680ad), closes #​309
• pass context to ValidationError for async validations (#​533) (4eb1216)
• switch isLatitude & isLongitude validators (#​513) (5497179), closes #​502
• switch isLatitude & isLongitude validators (#​537) (c27500b)
• ValidateNested support multi-dimensional arrays (#​539) (62678e1)

Changed

• update build process to enable tree shaking (#​568) (11a7b8b), closes #​258 #​248 #​247 #​212

Added

• sync validatorjs version from v10.11.3 to v13.0.0 (09120b7), closes #​576 #​425

v0.11.1

Compare Source

Fixed

• IsNumber validator now works when maxDecimalPlaces=0 (#​524) (b8aa922)

Added

• add all option in isuuid validator (#​452) (98e9382)
• add IsFirebasePushId validator (#​548) (e7e2e53)
• add options for isISO8601 validator (#​460) (90a6638)

v0.11.0

Compare Source

Fixed

• create instance of ValidationError for whitelist errors (#​434) (a98f5dd), closes #​325
• pass context for isDefined and custom validators (#​296) (0ef898e), closes #​292

Added

• add isHash validator (#​445) (c454cf9)
• add isISSN validator (#​450) (4bd586e)
• add isJWT validator (#​444) (874861b)
• add isMACAddress validator (#​449) (45b7df7)
• add support for maxDecimalPlaces on IsNumber (#​381) (a4dc10e)

v0.10.2

Compare Source

Fixed

• apply custom constraint class validation to each item in the array (#​295) (5bb704e), closes #​260

Added

• add isLatLong, isLatitude, isLongtitude validators (#​427) (3fd15c4), closes #​415
• add IsObject and IsNotEmptyObject new decorators (#​334) (0a41aeb)
• support ES6 Map and Set for regular validators with each option (#​430) (a055bba), closes #​428

v0.10.1

Compare Source

Fixed

• add default message for isMilitaryTime validator (#​411) (204b7df), closes #​287
• add default message for isPort validator (#​404) (74e568c)
• add locale parameter for isAlpha and isAlphanumeric validat… (#​406) (2f4bf4e)

Added

• add skipUndefinedProperties, skipNullProperties options (#​414) (76c948a), closes #​308

v0.10.0

Compare Source

Fixed

• add correct signature for custom error message handler (249c41d)

Added

• add IsISO31661Alpha3 and IsISO31661Alpha2 validators (#​273) (55c57b3)
• IsDecimal: implement IsDecimal from validatorjs (#​359) (b4c8e21)
• add isPort decorator (#​282) (36684ec)
• allow validate Map/Set (#​365) (f6fcdc5)
• new ValidatePromise decorator - resolve promise before validate (#​369) (35ec04d)
• replace instanceof Promise and support Promise/A+ (#​310) (59eac09)
• isNumberString now accept validator.js IsNumericOptions as second parameter (#​262)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

ERR! lerna Unknown command "info"
ERR! lerna Did you mean init?
npm WARN react-ssr-advanced-seed@1.0.7 No repository field.

lerna notice cli v3.18.4
lerna info versioning independent
lerna notice filter excluding "__tests__"
lerna info filter [ '!__tests__' ]
lerna info Bootstrapping 27 packages
lerna info Installing external dependencies
lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only exited 1 in 'omega-web'
lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only stderr:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: omega-web@0.3.11
npm ERR! Found: react@16.14.0
npm ERR! node_modules/react
npm ERR!   peer react@"^16.8.0" from @material-ui/core@4.4.2
npm ERR!   node_modules/@material-ui/core
npm ERR!     @material-ui/core@"4.4.2" from the root project
npm ERR!     peer @material-ui/core@"^4.0.0" from @material-ui/icons@4.4.1
npm ERR!     node_modules/@material-ui/icons
npm ERR!       @material-ui/icons@"4.4.1" from the root project
npm ERR!   peer react@"^16.0.0" from react-dom@16.8.6
npm ERR!   node_modules/react-dom
npm ERR!     react-dom@"16.8.6" from the root project
npm ERR!     peer react-dom@"^16.8.0" from @material-ui/core@4.4.2
npm ERR!     node_modules/@material-ui/core
npm ERR!       @material-ui/core@"4.4.2" from the root project
npm ERR!       1 more (@material-ui/icons)
npm ERR!     2 more (@material-ui/icons, @material-ui/styles)
npm ERR!   2 more (@material-ui/icons, @material-ui/styles)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! react-fade-in@"0.1.6" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: react@15.7.0
npm ERR! node_modules/react
npm ERR!   peer react@"^15.4.1" from react-fade-in@0.1.6
npm ERR!   node_modules/react-fade-in
npm ERR!     react-fade-in@"0.1.6" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /tmp/renovate-cache/others/npm/_logs/2023-03-18T22_38_45_450Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2023-03-18T22_38_45_450Z-debug-0.log

lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only exited 1 in 'omega-web'
lerna WARN complete Waiting for 1 child process to exit. CTRL-C to exit immediately.