🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

@mikro-orm/core

Package Overview
Dependencies
Maintainers
1
Versions
4627
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@mikro-orm/core - npm Package Compare versions

Comparing version
7.1.7-dev.8
to
7.1.7
+5
-1
entity/EntityAssigner.js
import { Collection } from './Collection.js';
import { Utils } from '../utils/Utils.js';
import { DANGEROUS_PROPERTY_NAMES, Utils } from '../utils/Utils.js';
import { Reference } from './Reference.js';

@@ -38,2 +38,6 @@ import { ReferenceKind, SCALAR_TYPES } from '../enums.js';

static assignProperty(entity, propName, props, data, options) {
// needs to happen before the `props` lookup, as those keys resolve to inherited accessors
if (DANGEROUS_PROPERTY_NAMES.includes(propName)) {
return;
}
let value = data[propName];

@@ -40,0 +44,0 @@ const onlyProperties = options.onlyProperties && !(propName in props);

+1
-13

@@ -1,2 +0,2 @@

import { Utils } from '../utils/Utils.js';
import { DANGEROUS_PROPERTY_NAMES, Utils } from '../utils/Utils.js';
import { normalizePartitionNameForComparison, splitCommaSeparatedIdentifiers } from '../utils/partition-utils.js';

@@ -6,16 +6,4 @@ import { MetadataError } from '../errors.js';

/**
* List of property names that could lead to prototype pollution vulnerabilities.
* These names should never be used as entity property names because they could
* allow malicious code to modify object prototypes when property values are assigned.
*
* - `__proto__`: Could modify the prototype chain
* - `constructor`: Could modify the constructor property
* - `prototype`: Could modify the prototype object
*
* @internal
*/
const DANGEROUS_PROPERTY_NAMES = ['__proto__', 'constructor', 'prototype'];
/**
* @internal
*/
export class MetadataValidator {

@@ -22,0 +10,0 @@ validateEntityDefinition(metadata, name, options) {

{
"name": "@mikro-orm/core",
"version": "7.1.7-dev.8",
"version": "7.1.7",
"description": "TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.",

@@ -5,0 +5,0 @@ "keywords": [

@@ -6,2 +6,14 @@ import type { CompiledFunctions, Dictionary, EntityData, EntityDictionary, EntityKey, EntityMetadata, EntityName, EntityProperty, Primary } from '../typings.js';

import { type RawQueryFragmentSymbol } from './RawQueryFragment.js';
/**
* List of property names that could lead to prototype pollution vulnerabilities.
* These names should never be used as entity property names because they could
* allow malicious code to modify object prototypes when property values are assigned.
*
* - `__proto__`: Could modify the prototype chain
* - `constructor`: Could modify the constructor property
* - `prototype`: Could modify the prototype object
*
* @internal
*/
export declare const DANGEROUS_PROPERTY_NAMES: readonly string[];
/** Deeply compares two objects for equality, handling dates, regexes, and raw fragments. */

@@ -8,0 +20,0 @@ export declare function compareObjects(a: any, b: any): boolean;

@@ -8,2 +8,14 @@ import { clone } from './clone.js';

import { Raw, isRaw } from './RawQueryFragment.js';
/**
* List of property names that could lead to prototype pollution vulnerabilities.
* These names should never be used as entity property names because they could
* allow malicious code to modify object prototypes when property values are assigned.
*
* - `__proto__`: Could modify the prototype chain
* - `constructor`: Could modify the constructor property
* - `prototype`: Could modify the prototype object
*
* @internal
*/
export const DANGEROUS_PROPERTY_NAMES = ['__proto__', 'constructor', 'prototype'];
function compareConstructors(a, b) {

@@ -145,3 +157,3 @@ if (a.constructor === b.constructor) {

static PK_SEPARATOR = '~~~';
static #ORM_VERSION = '7.1.7-dev.8';
static #ORM_VERSION = '7.1.7';
/**

@@ -237,3 +249,3 @@ * Checks if the argument is instance of `Object`. Returns false for arrays.

for (const [key, value] of Object.entries(source)) {
if (['__proto__', 'constructor', 'prototype'].includes(key)) {
if (DANGEROUS_PROPERTY_NAMES.includes(key)) {
continue;

@@ -240,0 +252,0 @@ }