Update dependency class-validator to ^0.14.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
class-validator	^0.13.1 → ^0.14.0
class-validator	^0.13.2 → ^0.14.0

GitHub Vulnerability Alerts

CVE-2019-18413

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

---

Release Notes

typestack/class-validator (class-validator)

v0.14.0

Compare Source

Fixed

• Fixed an issue where forbidUnknownValues did not default to true when validatorOptions was undefined. (#​2196 by @​cduff)
• Fixed the ValidationMetadata.name property to work correctly with the @IsOptional decorator. (#​2044 by @​Clashsoft)
• Updated the Codecov configuration for continuous integration. (#​2556 by @​haiweilian)
• Fixed an issue where options were not passed correctly to the @IsBase64 decorator. (#​2549 by @​aseyfpour)
• Fixed argument handling for the isBase64 function. (#​2574 by @​braaar)

0.14.1 (2024-01-12)

Added

• allow specifying options for @IsBase64 decorator (#​1845) , closes #​1013
• use official type for version in @IsUUID decorator (#​1846) , closes #​1497
• update @IsPhoneNumber decorator to use max dataset (#​1857)

Fixed

• fail for non-array constraint in @IsIn decorator (#​1844) , closes #​1693
• allow number and boolean values in validation message "$value" tokens (#​1467) , closes #​921, #​1046
• read nullable option in @IsNotEmptyObject decorator correctly (#​1555) , closes #​1554

Changed

• update libphonenumber-js to ^1.10.53 from ^1.10.14
• update various dev-dependencies

0.14.0 (2022-12-09)

Added

• add @IsTimeZone decorator to check if given string is valid IANA time zone
• add @IsISO4217CurrencyCode decorator to check if the string is an ISO 4217 currency code
• add @IsStrongPassword decorator to check if given password matches specific complexity criteria
• add @IsBase58 decorator to check if a string is base58 encoded
• add @IsTaxId decorator to check if a given string is a valid tax ID in a given locale
• add support for passing function as date generator in @MinDate and @MaxDate decorators
• add option to print constraint error message instead of constraint type in validation error
• improve decorator metadata lookup performance
• return possible values in error message for @IsEnum decorator

Fixed

• re-added @types/validator as dependency
• fix error generation when using @NestedValidation
• pass validation options correctly to validator in @IsDateString decorator
• support passing Symbol as parameter in error message generation
• specify supported locales for @IsAlphanumeric decorator
• correctly assign decorator name in metadata instead of loosing it
• fix various spelling errors in documentation
• fix various spelling errors and inconsistencies in JSDoc for decorators

Changed

• enable forbidUnknownValues option by default
• remove documentation about deprecated schema based validation and added warning
• update warning message logged about missing decorator metadata
• update libphonenumber-js to ^1.10.14 from ^1.9.43
• update various dev-dependencies

BREAKING CHANGES

forbidUnknownValues option is enabled by default

From this release the forbidUnknownValues is enabled by default. This is the desired behavior for majority of
use-cases, but this change may break validation for some. The two scenarios that results in failed validation:

• when attempting to validate a class instance without metadata for it
• when using group validation and the specified validation group results in zero validation applied

The old behavior can be restored via specifying forbidUnknownValues: false option when calling the validate functions.

For more details see PR #​1798 and #​1422 (comment).

@NestedValidation decorator correctly assigns validation errors

Until now the errors from a nested validation in some cases were incorrectly assigned
to the parent instead of the child being validated. Now the validation errors are correctly assigned.

For more details see #​679.

0.13.2 (2021-11-20)

NOTE: This version fixes a security vulnerability allowing denial of service attacks with a specially crafted request payload.
Please update as soon as possible.

Fixed

• switched to use Array.isArray in array checks from instanceof operator

Changed

• libphonenumber-js package updated to 1.9.43 from 1.9.7
• validator package updated to 13.5.2 from 13.5.2
• various dev-dependencies updated

0.13.1 (2021-01-14)

Added

• optional mather function has been added to the ArrayUnique decorator

Fixed

• a typo was fixed in the error message generated by the IsUUID decorator
• calling ValidationError.toString() doesn't result in an error when forbidNonWhitelisted parameter was used
• fixed typo in error message generated by IsIn decorator
• the @types/validator package is correctly installed
• inlineSources option is enabled in tsconfig preventing various sourcemap errors when consuming the package

Changed

• various dev dependencies has been updated

0.13.0 (2021-01-11)

Added

• project is restructured to allow three-shaking
• added option to fail on first validation error (#​620)
• two new validator option is added:
  • always - allows setting global default for always option for decorators
  • strictGroups - ignore decorators with at least one group, when ValidatorOptions.groups is empty

Fixed

• the 'any' locale is allowed in the isPostalCode decorator (#​634)
• the IsDateString() decorator now aliases the IsISO8601() decorator (#​672)

Changed

• project tooling has been updated significantly
• google-libphonenumber has been replaced with libphonenumber-js (this should have no effect on validation)
• build process generates include both ES/CommonJS and UMD variations
• various dev dependencies has been updated

0.12.2 (2020-04-23)

Fixed

• move tslib from peerDependencies to dependencies (827eff1), closes #​588

0.12.1 (2020-04-18)

Fixed

• apply only nested validator for ValidateNested multi-dimensional array (c463be5)

0.12.0 (2020-04-18)

Fixed

• accept negative timezone in isDateString (#​564) (2012d72), closes #​565
• apply all decorators type PropertyDecorator (#​556) (5fb36e3), closes #​555
• avoiding metadataStorage from DI (#​335) (b57fef4), closes #​328 #​261 #​132
• correct registerDecorator options argument (7909ec6), closes #​302
• IsNumberString accept isNumbericOptions as argument (62b993f), closes #​518 #​463
• optional constraints property in ValidationError (#​465) (84680ad), closes #​309
• pass context to ValidationError for async validations (#​533) (4eb1216)
• switch isLatitude & isLongitude validators (#​513) (5497179), closes #​502
• switch isLatitude & isLongitude validators (#​537) (c27500b)
• ValidateNested support multi-dimensional arrays (#​539) (62678e1)

Changed

• update build process to enable tree shaking (#​568) (11a7b8b), closes #​258 #​248 #​247 #​212

Added

• sync validatorjs version from v10.11.3 to v13.0.0 (09120b7), closes #​576 #​425

BREAKING CHANGES

• Validatorjs releases contain some breaking changes e.g. IsMobileNumber or IsHexColor. Please check validatorjs CHANGELOG

• Validation functions was removed from Validator class to enable tree shaking.

  BEFORE:

  import { Validator } from 'class-validator';
  
  const validator = new Validator();
  validator.isNotIn(value, possibleValues);
  validator.isBoolean(value);

  AFTER:

  import { isNotIn, isBoolean } from 'class-validator';
  
  isNotIn(value, possibleValues);
  isBoolean(value);

• IsNumberString decorator arguments changed to @IsNumberString(ValidatorJS.IsNumericOptions, ValidationOptions).

0.11.1 (2020-03-18)

Fixed

• IsNumber validator now works when maxDecimalPlaces=0 (#​524) (b8aa922)

Added

• add all option in isuuid validator (#​452) (98e9382)
• add IsFirebasePushId validator (#​548) (e7e2e53)
• add options for isISO8601 validator (#​460) (90a6638)

0.11.0 (2019-11-01)

Fixed

• create instance of ValidationError for whitelist errors (#​434) (a98f5dd), closes #​325
• pass context for isDefined and custom validators (#​296) (0ef898e), closes #​292

Added

• add isHash validator (#​445) (c454cf9)
• add isISSN validator (#​450) (4bd586e)
• add isJWT validator (#​444) (874861b)
• add isMACAddress validator (#​449) (45b7df7)
• add support for maxDecimalPlaces on IsNumber (#​381) (a4dc10e)

BREAKING CHANGES

• update @​types/validator from 11.1.0 to version 12.0.0 - please check it's changelog

0.10.2 (2019-10-14)

Fixed

• apply custom constraint class validation to each item in the array (#​295) (5bb704e), closes #​260

Added

• add isLatLong, isLatitude, isLongtitude validators (#​427) (3fd15c4), closes #​415
• add IsObject and IsNotEmptyObject new decorators (#​334) (0a41aeb)
• support ES6 Map and Set for regular validators with each option (#​430) (a055bba), closes #​428

0.10.1 (2019-09-25)

Fixed

• add default message for isMilitaryTime validator (#​411) (204b7df), closes #​287
• add default message for isPort validator (#​404) (74e568c)
• add locale parameter for isAlpha and isAlphanumeric validat… (#​406) (2f4bf4e)

Added

• add skipUndefinedProperties, skipNullProperties options (#​414) (76c948a), closes #​308

0.10.0 (2019-08-10)

Fixed

• add correct signature for custom error message handler (249c41d)

Added

• add IsISO31661Alpha3 and IsISO31661Alpha2 validators (#​273) (55c57b3)
• IsDecimal: implement IsDecimal from validatorjs (#​359) (b4c8e21)
• add isPort decorator (#​282) (36684ec)
• allow validate Map/Set (#​365) (f6fcdc5)
• new ValidatePromise decorator - resolve promise before validate (#​369) (35ec04d)
• replace instanceof Promise and support Promise/A+ (#​310) (59eac09)
• isNumberString now accept validator.js IsNumericOptions as second parameter (#​262)

BREAKING CHANGES

• update @​types/validator from 10.4.0 to version 10.11.2 - please check it's changelog (cb960dd)
• isDateString now check to match only entire ISO Date (#​275) (5012464)
• remove IsCurrencyOptions, IsURLOptions, IsEmailOptions, IsFQDNOptions interfaces and replace with interfaces from @types/validator

0.9.1

Added

• added option to pass custom context for the decorators

Fixed

• validating against a schema will validate against that one instead of every registered one

0.9.0 [BREAKING CHANGE]

Added

• updated validator.js from 9.2.0 to 10.4.0 (Check it's changelog for what has changed.)
  • until now fractional numbers was not allowed in the IsNumberString decorator, now they are allowed
  • until now Gmail addresses could contain multiple dots or random text after a + symbol, this is not allowed anymore
• IsPhoneNumber decorator has been added which uses the google-libphonenumber library to validate international phone numbers accurately

Fixed

• update IsURLOptions to match underlying validator host list options
• added a console warning when no metadata decorator is found as it's possibly not intended
• the Min and Max decorator will corectly show an inclusive error message when failing
• fixed a runtime error when validationArguments.value is not a string

0.8.5

Fixed

• remove ansicolor package, because it's incompatible with IE

0.8.4

Added

• ValidatorOptions now has a forbidUnknownValues key to prevent unknown objects to pass validation
  • it's highly advised to turn this option on
  • now this option defaults to false but will be default to true after the 1.0 release

0.8.3

Fixed

• handle when target property is undefined when calling ValidationError.toString()

0.8.2

Added

• added ValidationError.toString() method for easier debugging
• added printError method to pretty-print errors in NodeJS or the browser

Fixed

• fixed wrong type info in ValidatorOptions
• fixed wrong type info in ValidationSchema (the options key now is optional)
• corrected IsNumericString to IsNumberString in the README
• fixed type of host_whitelist and host_backlist in IsURLOptions

0.8.1

Fixed

• fixed wrong type info in ValidatorOptions

0.8.0 [BREAKING CHANGE]

Added

• updated validator.js from 7.0.0 to 9.2.0 (Check it's changelog for what has changed.)

  This caused breaking change, if you used the IsUrl decorator to validate localhost as a valid url, from now you must use the require_tld: false option

  @​IsUrl({ require_tld: false})
  url: string;

• added @IsInstance decorator and validator.isInstance(value, target) method.

• changed @IsNumber decorator has been changed to @IsNumber(options: IsNumberOptions)

• added option to strip unknown properties (whitelist: true)

• added option to throw error on unknown properties (forbidNonWhitelisted: true)

• added @Allow decorator to prevent stripping properties without other constraint

Fixed

• fixed issue with @IsDateString now it allow dates without fraction seconds to be set
• fixed issue with @IsDateString now it allow dates without with timezones to be set
• @ValidateNested correctly generates validation error on non object and non array values

0.6.7

Fixed

• fixed issue with @ValidateNested when nested property is not defined and it throw an error (#​59)

0.6.5

Fixed

• fixed bugs with @IsUrl, @IsEmail and several other decorators

0.6.4

Added

• added @IsMilitaryTime decorator.

0.6.3

Added

• added validateOrReject method which rejects promise instead of returning array of errors in resolved result

0.6.1

Added

• added @IsArray decorator.

0.6.0 [BREAKING CHANGE]

Added

• breaking change with @ValidateNested on arrays: Validator now groups the validation errors by sub-object, rather than them all being grouped together. See #​32 for a demonstration of the updated structure.
• added @ValidateIf decorator, see conditional validation in docs.

0.5.0 [BREAKING CHANGE]

Added

• async validations must be marked with { async: true } option now.

  This is optional, but it helps to determine which decorators are async to prevent their execution in validateSync method.

• added validateSync method that performs non asynchronous validation and ignores validations that marked with async: true.

• there is a breaking change in registerDecorator method. Now it accepts options object.

• breaking change with @ValidatorConstraint decorator. Now it accepts option object instead of single name.

0.4.1

Fixed

• fixed issue with wrong source maps packaged

0.4.0 [BREAKING CHANGE]

Added

• everything should be imported from "class-validator" main entry point now
• ValidatorInterface has been renamed to ValidatorConstraintInterface
• contain can be set in the main entry point now
• some decorator's names changed. Be aware of this
• added few more non-string decorators
• validator now returns array of ValidationError instead of ValidationErrorInterface. Removed old ValidationError
• removed all other validation methods except validator.validate
• finally validate method is async now, so custom async validations are supported now
• added ability to validate inherited properties
• added support of separate validation schemas
• added support of default validation messages
• added support of special tokens in validation messages
• added support of message functions in validation options
• added support of custom decorators
• if no groups were specified, decorators with groups now are being ignored
• changed signature of the ValidationError. Now if it has nested errors it does not return them in a flat array

Fixed

• fixed all decorators that should not work only with strings

0.3.0

Added

• package has changed its name from validator.ts to class-validator.
• sanitation functionality has been removed from this library. Use class-sanitizer instead.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 8 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
demo/admin                               |  WARN  deprecated @gitbeaker/node@35.8.1
demo/admin                               |  WARN  deprecated eslint@8.56.0
demo/admin                               |  WARN  deprecated rimraf@3.0.2
Progress: resolved 31, reused 0, downloaded 30, added 0
Progress: resolved 37, reused 0, downloaded 36, added 0
Progress: resolved 40, reused 0, downloaded 39, added 0
Progress: resolved 40, reused 0, downloaded 40, added 0
Progress: resolved 46, reused 0, downloaded 45, added 0
Progress: resolved 48, reused 0, downloaded 47, added 0
Progress: resolved 51, reused 0, downloaded 50, added 0
Progress: resolved 60, reused 0, downloaded 59, added 0
Progress: resolved 60, reused 0, downloaded 60, added 0
Progress: resolved 87, reused 0, downloaded 86, added 0
Progress: resolved 98, reused 0, downloaded 97, added 0
demo/api                                 |  WARN  deprecated apollo-server-core@3.13.0
demo/api                                 |  WARN  deprecated apollo-server-express@3.13.0
Progress: resolved 144, reused 0, downloaded 143, added 0
Progress: resolved 144, reused 0, downloaded 144, added 0
Progress: resolved 165, reused 0, downloaded 165, added 0
Progress: resolved 177, reused 0, downloaded 177, added 0
Progress: resolved 208, reused 0, downloaded 196, added 0
Progress: resolved 253, reused 0, downloaded 238, added 0
Progress: resolved 377, reused 0, downloaded 363, added 0
Progress: resolved 457, reused 0, downloaded 443, added 0
Progress: resolved 509, reused 0, downloaded 495, added 0
Progress: resolved 524, reused 0, downloaded 510, added 0
Progress: resolved 562, reused 0, downloaded 548, added 0
Progress: resolved 601, reused 0, downloaded 587, added 0
Progress: resolved 676, reused 0, downloaded 662, added 0
Progress: resolved 775, reused 0, downloaded 761, added 0
Progress: resolved 862, reused 0, downloaded 848, added 0
Progress: resolved 862, reused 0, downloaded 851, added 0
Progress: resolved 875, reused 0, downloaded 865, added 0
Progress: resolved 875, reused 0, downloaded 866, added 0
Progress: resolved 875, reused 0, downloaded 867, added 0
Progress: resolved 973, reused 0, downloaded 965, added 0
Progress: resolved 1065, reused 0, downloaded 1057, added 0
Progress: resolved 1157, reused 0, downloaded 1149, added 0
Progress: resolved 1260, reused 0, downloaded 1249, added 0
Progress: resolved 1303, reused 0, downloaded 1291, added 0
Progress: resolved 1335, reused 0, downloaded 1323, added 0
Progress: resolved 1418, reused 0, downloaded 1406, added 0
Progress: resolved 1558, reused 0, downloaded 1546, added 0
Progress: resolved 1642, reused 0, downloaded 1623, added 0
Progress: resolved 1651, reused 0, downloaded 1629, added 0
Progress: resolved 1681, reused 0, downloaded 1660, added 0
Progress: resolved 1751, reused 0, downloaded 1730, added 0
Progress: resolved 1806, reused 0, downloaded 1785, added 0
Progress: resolved 1885, reused 0, downloaded 1865, added 0
Progress: resolved 1981, reused 0, downloaded 1961, added 0
Progress: resolved 2089, reused 0, downloaded 2070, added 0
Progress: resolved 2209, reused 0, downloaded 2190, added 0
Progress: resolved 2323, reused 0, downloaded 2304, added 0
Progress: resolved 2467, reused 0, downloaded 2448, added 0
 WARN  33 deprecated subdependencies found: @babel/plugin-proposal-class-properties@7.18.6, @babel/plugin-proposal-nullish-coalescing-operator@7.18.6, @babel/plugin-proposal-numeric-separator@7.18.6, @babel/plugin-proposal-object-rest-spread@7.20.7, @babel/plugin-proposal-optional-chaining@7.21.0, @babel/plugin-proposal-private-methods@7.18.6, @babel/plugin-proposal-private-property-in-object@7.21.11, @humanwhocodes/config-array@0.11.14, @humanwhocodes/object-schema@2.0.3, @types/loud-rejection@2.0.0, abab@2.0.6, acorn-import-assertions@1.9.0, apollo-datasource@3.3.2, apollo-reporting-protobuf@3.4.0, apollo-server-env@4.2.1, apollo-server-errors@3.3.1, apollo-server-plugin-base@3.7.2, apollo-server-types@3.8.0, domexception@2.0.1, fstream@1.0.12, glob@7.2.3, glob@8.1.0, har-validator@5.1.5, inflight@1.0.6, intl-messageformat-parser@6.4.3, lodash.get@4.4.2, multer@1.4.4, node-domexception@1.0.0, request@2.88.2, rimraf@2.7.1, subscriptions-transport-ws@0.11.0, uuid@3.4.0, w3c-hr-time@1.0.2
Progress: resolved 2495, reused 0, downloaded 2476, added 0
Progress: resolved 2495, reused 0, downloaded 2476, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

demo/api
├─┬ @comet/blocks-api 7.21.1
│ └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1
└─┬ @comet/cms-api 7.21.1
  └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1

packages/api
├─┬ @comet/blocks-api 7.21.1
│ └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1
└─┬ @comet/cms-api 7.21.1
  └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1

hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.