feat: update dependency nhibernate to v5.4.9 [security] #44
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.1.0
->5.4.9
GitHub Vulnerability Alerts
CVE-2024-39677
Impact
A SQL injection vulnerability exists in some types implementing
ILiteralType.ObjectToSQLString
. Callers of these methods are exposed to the vulnerability, which includes:SqlInsertBuilder
andSqlUpdateBuilder
utilities, calling theirAddColumn
overload taking a literal value. These overloads are unused by NHibernate but could be used by users referencing directly these utilities.ObjectToSQLString
methods for building SQL queries on the user side.Patches
Releases 5.4.9 and 5.5.2.
Workarounds
ToString
conversion can be altered to include SQL injections through adequate hacking of the current culture settings, either change for another type, or ensure the used values cannot allow culture exploits, or ensure the application performs sanity checks of the current culture settings. Types sensitive to culture include integers for negative values, dates, times and datetimes, floats and decimals.References
Release Notes
nhibernate/nhibernate-core (NHibernate)
v5.4.9
Compare Source
=============================
Release notes - NHibernate - Version 5.4.9
6 issues were resolved in this release, including CVE-2024-39677.
** Bug
** Task
v5.4.8
Compare Source
=============================
Release notes - NHibernate - Version 5.4.8
2 issues were resolved in this release.
** Bug
** Task
v5.4.7
Compare Source
=============================
Release notes - NHibernate - Version 5.4.7
3 issues were resolved in this release.
** Task
v5.4.6
Compare Source
=============================
Release notes - NHibernate - Version 5.4.6
2 issues were resolved in this release.
** Bug
** Task
v5.4.5
Compare Source
=============================
Release notes - NHibernate - Version 5.4.5
2 issues were resolved in this release.
** Task
v5.4.4
Compare Source
=============================
Release notes - NHibernate - Version 5.4.4
6 issues were resolved in this release.
** Bug
** Improvement
** Task
v5.4.3
Compare Source
=============================
Release notes - NHibernate - Version 5.4.3
11 issues were resolved in this release.
** Bug
** Task
v5.4.2
Compare Source
=============================
Release notes - NHibernate - Version 5.4.2
6 issues were resolved in this release.
** Bug
** New Feature
** Task
v5.4.1
Compare Source
=============================
Release notes - NHibernate - Version 5.4.1
5 issues were resolved in this release.
** Bug
** Task
As part of releasing 5.4.1, a missing 5.4.0 possible breaking change has been added, about
one-to-one associations and optimistic locking. See 5.4.0 possible breaking changes.
v5.4.0
Compare Source
=============================
Release notes - NHibernate - Version 5.4.0
** Highlights
* NHibernate has gained three new target frameworks: .Net 6, .Net Framework 4.8 and .Net Standard 2.1. NHibernate NuGet package
provides them, along with the older targets, .Net Core 2.0, .Net Framework 4.6.1 and .Net Standard 2.0. These new targets allow
some NHibernate optimizations for applications using them. The same limitations apply for .Net 6 and .Net Standard 2.1 as for
.Net Core 2.0 and .Net Standard 2.0, see NHibernate 5.1.0 release notes.
* A new batching strategy is available, minimizing the batching memory footprint. See #2959. Using it may increase CPU usage.
* 201 issues were resolved in this release.
** Bug
Nullable
without a value in LINQ** New Feature
** Improvement
** Task
datetimex
keyword to SapSQLAnywhere17Dialect** Tests
v5.3.20
Compare Source
=============================
Release notes - NHibernate - Version 5.3.20
2 issues were resolved in this release.
** Bug
** Task
v5.3.19
Compare Source
=============================
Release notes - NHibernate - Version 5.3.19
2 issues were resolved in this release.
** Bug
** Task
v5.3.18
Compare Source
=============================
Release notes - NHibernate - Version 5.3.18
3 issues were resolved in this release.
** Bug
** Task
v5.3.17
Compare Source
=============================
Release notes - NHibernate - Version 5.3.17
5 issues were resolved in this release.
** Bug
** Task
v5.3.16
Compare Source
=============================
Release notes - NHibernate - Version 5.3.16
3 issues were resolved in this release.
** Bug
** Task
v5.3.15
Compare Source
=============================
Release notes - NHibernate - Version 5.3.15
4 issues were resolved in this release.
** Bug
** Task
v5.3.14
Compare Source
=============================
Release notes - NHibernate - Version 5.3.14
3 issues were resolved in this release.
** Bug
** Task
v5.3.13
Compare Source
=============================
Release notes - NHibernate - Version 5.3.13
6 issues were resolved in this release.
** Bug
** Improvement
** Task
v5.3.12
Compare Source
=============================
Release notes - NHibernate - Version 5.3.12
5 issues were resolved in this release.
** Bug
** Improvement
** Test
** Task
v5.3.11
Compare Source
=============================
Release notes - NHibernate - Version 5.3.11
12 issues were resolved in this release.
** Bug
** Task
v5.3.10
Compare Source
=============================
Release notes - NHibernate - Version 5.3.10
11 issues were resolved in this release.
** Bug
** Task
v5.3.9
Compare Source
=============================
Release notes - NHibernate - Version 5.3.9
11 issues were resolved in this release.
** Bug
** Test
** Task
v5.3.8
Compare Source
=============================
Release notes - NHibernate - Version 5.3.8
6 issues were resolved in this release.
** Bug
** Task
v5.3.7
Compare Source
=============================
Release notes - NHibernate - Version 5.3.7
5 issues were resolved in this release.
** Bug
** Task
v5.3.6
Compare Source
=============================
Release notes - NHibernate - Version 5.3.6
12 issues were resolved in this release.
** Bug
** Improvement
** Task
As part of releasing 5.3.6, one missing 5.3.0 possible breaking change has been added, about
Merge no more triggering immediate generation of identifier. See 5.3.0 possible breaking changes.
v5.3.5
Compare Source
=============================
Release notes - NHibernate - Version 5.3.5
2 issues were resolved in this release.
** Bug
** Task
v5.3.4
Compare Source
=============================
Release notes - NHibernate - Version 5.3.4
6 issues were resolved in this release.
** Bug
** Task
As part of releasing 5.3.4, one missing 5.3.0 possible breaking change has been added, about
custom method generators for Linq. See 5.3.0 possible breaking changes.
v5.3.3
Compare Source
=============================
Release notes - NHibernate - Version 5.3.3
16 issues were resolved in this release.
** Bug
** Task
As part of releasing 5.3.3, two missing 5.3.0 possible breaking changes have been added, about
uninitialized extra lazy collections and SQLite schema validation. See 5.3.0 possible breaking changes.
v5.3.2
Compare Source
=============================
Release notes - NHibernate - Version 5.3.20
2 issues were resolved in this release.
** Bug
** Task
v5.3.1
Compare Source
=============================
Release notes - NHibernate - Version 5.3.19
2 issues were resolved in this release.
** Bug
** Task
v5.3.0
Compare Source
=============================
Release notes - NHibernate - Version 5.3.0
220 issues were resolved in this release.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.