Update dependency class-validator to v0.14.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
class-validator	0.9.1 -> 0.14.0

GitHub Vulnerability Alerts

CVE-2019-18413

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

---

Release Notes

typestack/class-validator (class-validator)

v0.14.0

Compare Source

v0.13.2

Compare Source

NOTE: This version fixes a security vulnerability allowing denial of service attacks with a specially crafted request payload.
Please update as soon as possible.

Fixed

• switched to use Array.isArray in array checks from instanceof operator

Changed

• libphonenumber-js package updated to 1.9.43 from 1.9.7
• validator package updated to 13.5.2 from 13.5.2
• various dev-dependencies updated

v0.13.1

Compare Source

Added

• optional mather function has been added to the ArrayUnique decorator

Fixed

• a typo was fixed in the error message generated by the IsUUID decorator
• calling ValidationError.toString() doesn't result in an error when forbidNonWhitelisted parameter was used
• fixed typo in error message generated by IsIn decorator
• the @types/validator package is correctly installed
• inlineSources option is enabled in tsconfig preventing various sourcemap errors when consuming the package

Changed

• various dev dependencies has been updated

v0.13.0

Compare Source

Added

• project is restructured to allow three-shaking
• added option to fail on first validation error (#​620)
• two new validator option is added:
  • always - allows setting global default for always option for decorators
  • strictGroups - ignore decorators with at least one group, when ValidatorOptions.groups is empty

v0.12.2

Compare Source

Fixed

• move tslib from peerDependencies to dependencies (827eff1), closes #​588

v0.12.1

Compare Source

Fixed

• apply only nested validator for ValidateNested multi-dimensional array (c463be5)

v0.12.0

Compare Source

Fixed

• accept negative timezone in isDateString (#​564) (2012d72), closes #​565
• apply all decorators type PropertyDecorator (#​556) (5fb36e3), closes #​555
• avoiding metadataStorage from DI (#​335) (b57fef4), closes #​328 #​261 #​132
• correct registerDecorator options argument (7909ec6), closes #​302
• IsNumberString accept isNumbericOptions as argument (62b993f), closes #​518 #​463
• optional constraints property in ValidationError (#​465) (84680ad), closes #​309
• pass context to ValidationError for async validations (#​533) (4eb1216)
• switch isLatitude & isLongitude validators (#​513) (5497179), closes #​502
• switch isLatitude & isLongitude validators (#​537) (c27500b)
• ValidateNested support multi-dimensional arrays (#​539) (62678e1)

Changed

• update build process to enable tree shaking (#​568) (11a7b8b), closes #​258 #​248 #​247 #​212

Added

• sync validatorjs version from v10.11.3 to v13.0.0 (09120b7), closes #​576 #​425

v0.11.1

Compare Source

Fixed

• IsNumber validator now works when maxDecimalPlaces=0 (#​524) (b8aa922)

Added

• add all option in isuuid validator (#​452) (98e9382)
• add IsFirebasePushId validator (#​548) (e7e2e53)
• add options for isISO8601 validator (#​460) (90a6638)

v0.11.0

Compare Source

Fixed

• create instance of ValidationError for whitelist errors (#​434) (a98f5dd), closes #​325
• pass context for isDefined and custom validators (#​296) (0ef898e), closes #​292

Added

• add isHash validator (#​445) (c454cf9)
• add isISSN validator (#​450) (4bd586e)
• add isJWT validator (#​444) (874861b)
• add isMACAddress validator (#​449) (45b7df7)
• add support for maxDecimalPlaces on IsNumber (#​381) (a4dc10e)

v0.10.2

Compare Source

Fixed

• apply custom constraint class validation to each item in the array (#​295) (5bb704e), closes #​260

Added

• add isLatLong, isLatitude, isLongtitude validators (#​427) (3fd15c4), closes #​415
• add IsObject and IsNotEmptyObject new decorators (#​334) (0a41aeb)
• support ES6 Map and Set for regular validators with each option (#​430) (a055bba), closes #​428

v0.10.1

Compare Source

Fixed

• add default message for isMilitaryTime validator (#​411) (204b7df), closes #​287
• add default message for isPort validator (#​404) (74e568c)
• add locale parameter for isAlpha and isAlphanumeric validat… (#​406) (2f4bf4e)

Added

• add skipUndefinedProperties, skipNullProperties options (#​414) (76c948a), closes #​308

v0.10.0

Compare Source

Fixed

• add correct signature for custom error message handler (249c41d)

Added

• add IsISO31661Alpha3 and IsISO31661Alpha2 validators (#​273) (55c57b3)
• IsDecimal: implement IsDecimal from validatorjs (#​359) (b4c8e21)
• add isPort decorator (#​282) (36684ec)
• allow validate Map/Set (#​365) (f6fcdc5)
• new ValidatePromise decorator - resolve promise before validate (#​369) (35ec04d)
• replace instanceof Promise and support Promise/A+ (#​310) (59eac09)
• isNumberString now accept validator.js IsNumericOptions as second parameter (#​262)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.