Update dependency class-validator to ^0.14.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
class-validator	^0.13.1 -> ^0.14.0
class-validator	^0.13.2 -> ^0.14.0

GitHub Vulnerability Alerts

CVE-2019-18413

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

---

Release Notes

typestack/class-validator (class-validator)

v0.14.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 8 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
demo/admin                               |  WARN  deprecated @gitbeaker/[email protected]
demo/admin                               |  WARN  deprecated [email protected]
demo/admin                               |  WARN  deprecated [email protected]
Progress: resolved 35, reused 0, downloaded 34, added 0
Progress: resolved 43, reused 0, downloaded 42, added 0
Progress: resolved 46, reused 0, downloaded 45, added 0
Progress: resolved 46, reused 0, downloaded 46, added 0
Progress: resolved 53, reused 0, downloaded 52, added 0
Progress: resolved 61, reused 0, downloaded 60, added 0
Progress: resolved 61, reused 0, downloaded 61, added 0
Progress: resolved 98, reused 0, downloaded 97, added 0
demo/api                                 |  WARN  deprecated [email protected]
demo/api                                 |  WARN  deprecated [email protected]
Progress: resolved 145, reused 0, downloaded 144, added 0
Progress: resolved 154, reused 0, downloaded 153, added 0
Progress: resolved 172, reused 0, downloaded 171, added 0
Progress: resolved 182, reused 0, downloaded 176, added 0
Progress: resolved 252, reused 0, downloaded 237, added 0
Progress: resolved 434, reused 0, downloaded 420, added 0
Progress: resolved 505, reused 0, downloaded 491, added 0
Progress: resolved 550, reused 0, downloaded 536, added 0
Progress: resolved 648, reused 0, downloaded 634, added 0
Progress: resolved 776, reused 0, downloaded 762, added 0
Progress: resolved 860, reused 0, downloaded 846, added 0
Progress: resolved 866, reused 0, downloaded 856, added 0
Progress: resolved 876, reused 0, downloaded 866, added 0
Progress: resolved 878, reused 0, downloaded 869, added 0
Progress: resolved 950, reused 0, downloaded 942, added 0
Progress: resolved 1187, reused 0, downloaded 1179, added 0
Progress: resolved 1278, reused 0, downloaded 1269, added 0
Progress: resolved 1437, reused 0, downloaded 1428, added 0
Progress: resolved 1588, reused 0, downloaded 1579, added 0
Progress: resolved 1683, reused 0, downloaded 1672, added 0
Progress: resolved 1814, reused 0, downloaded 1804, added 0
Progress: resolved 1913, reused 0, downloaded 1903, added 0
Progress: resolved 2050, reused 0, downloaded 2040, added 0
Progress: resolved 2287, reused 0, downloaded 2279, added 0
Progress: resolved 2412, reused 0, downloaded 2404, added 0
 WARN  31 deprecated subdependencies found: @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @humanwhocodes/[email protected], @humanwhocodes/[email protected], @types/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Progress: resolved 2476, reused 0, downloaded 2468, added 0
Progress: resolved 2476, reused 0, downloaded 2468, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

demo/api
├─┬ @comet/blocks-api 7.10.0
│ └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1
└─┬ @comet/cms-api 7.10.0
  └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1

packages/api
├─┬ @comet/blocks-api 7.10.0
│ └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1
└─┬ @comet/cms-api 7.10.0
  └── ✕ unmet peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0": found 0.14.1

hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.