fix(deps): update dependency @mikro-orm/core to v6.6.10 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@mikro-orm/core (source)	6.3.13 → 6.6.10

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

MikroORM is vulnerable to SQL Injection via specially crafted object

CVE-2026-34220 / GHSA-gwhv-j974-6fxm

More information

Details

Summary

MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.

Impact

If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.

Affected usage

The issue occurs when untrusted objects are passed to ORM write APIs such as:

• wrap(entity).assign(userInput) followed by em.flush()
• em.nativeUpdate()
• em.nativeInsert()
• em.create() followed by em.flush()

Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.

Fix

The vulnerability was caused by duck-typed detection of internal ORM marker properties.

The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.

Severity

• CVSS Score: 9.3 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm
• https://github.com/mikro-orm/mikro-orm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

MikroORM has Prototype Pollution in Utils.merge

CVE-2026-34221 / GHSA-qpfv-44f3-qqx6

More information

Details

A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures.

The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged.

Exploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction.

Prototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.

Severity

• CVSS Score: 8.3 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

References

• https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6
• https://github.com/mikro-orm/mikro-orm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

mikro-orm/mikro-orm (@​mikro-orm/core)

v6.6.10

Compare Source

Bug Fixes

• core: handle JSON column type conversion in em.refresh() for detached entities (e41b500), closes #​7383
• core: prevent prototype pollution in Utils.merge (06ed5f6)
• core: tighten query construction validation (ad3643e)
• schema: escape single quotes in enum CHECK constraints (#​7397) (db19731), closes #​7396 #​7395

v6.6.9

Compare Source

Bug Fixes

• core: fix findOne with entity refs for composite PKs with shared FK columns (6f95f72), closes #​5629
• core: make entity prototype toJSON non-enumerable to prevent data leaks (c895808)
• core: prevent double JSON-encoding of nested embeddable arrays (309b278), closes #​7233
• migrations: normalize snapshots and write on both up/down (#​7236) (a07aca6), closes #​7234
• migrations: skip snapshot write on migration:up to support read-only filesystems (c8584e8), closes #​7232
• mysql: fix table.bigincrements() producing int instead of bigint (5660607), closes #​7246

v6.6.8

Compare Source

Bug Fixes

• core: allow using property accessor on to-one relations (06978c9), closes #​7211
• core: fix double processing of JSON properties when reloading an entity (514ed87)
• core: preserve embeddable properties in toPOJO regardless of partial loading hints (c27dbae)
• core: preserve function expression indexes through metadata cache round-trip (#​7229) (9ae8d20), closes #​7238
• core: use full hydration in mergeData for initialized entities (5529308), closes #​7205
• knex: handle $not operator inside relation filters (#​7227) (d0dac2f), closes #​7226
• migrations: delete snapshot file after migration:down (dfcc8c6), closes #​7210
• postgres: fix phantom diffs for check constraints (#​7224) (103346c)

v6.6.7

Compare Source

Bug Fixes

• core: do not propagate cursor related options to populate queries (e6b9a6a), closes #​7148
• core: ignore empty conditions produced by filters (1ebbfb0)
• guard prototype.toJSON against being called on prototype itself (#​7152) (fa5290e), closes #​7151
• migrations: support emitting multiline queries (fcf360a), closes #​7185
• schema: do not ignore changes to entity level comments (b421c9d), closes #​7187
• sql: always alias virtual properties in where query (2f7492d), closes #​7196
• sql: skip pagination subquery and force balanced strategy for virtual entities (260a2e0), closes #​7195

Features

• core: add WHERE clause support to upsert via onConflictWhere option (#​7181) (9ed5ef5)

v6.6.6

Compare Source

Bug Fixes

• core: ensure column name conflicts in M:N are propagated to STI child entities (5be76ae), closes #​7123
• core: ensure no collisions in polymorphic embeddables with shadowed properties (b7707b4)
• core: fix result caching for custom types (b0ed700), closes #​7112
• core: respect exclude option on eager properties (cb26a7e)
• core: support schema parameter in formula query when using QB with partial loading (30b37f7), closes #​7102
• core: use less strict repository option type to fix issues with defineEntity and cycles (aeb1bb1)

v6.6.5

Compare Source

Bug Fixes

• core: always check the database when querying by PK with filters (bd44c82), closes #​7084
• core: ensure populate hint won't include undefined for optional relations (fede490)
• core: improve handling of deeply nested composite keys in em.create (8caae8f), closes #​6894
• core: normalize populate option in Collection.matching() for M:N relations (#​7091) (886772a)
• core: support overlapping properties with different field names in STI (badbc00), closes #​5813
• sql: fix populating M:N relations with pivotEntity that uses mapToPk: true (0ab55fe), closes #​7107

Features

• core: improve formula callback to provide more information about the table and column mapping (#​7105) (059bf97), closes #​7102

v6.6.4

Compare Source

Bug Fixes

• core: do not convert custom types in em.refresh (143a4ed), closes #​7073
• core: fix applying filters on nested relation conditions (2ec6474)
• core: fix processing filters on to-many relations (4a55799)
• core: respect orphanRemoval on 1:1 relations when inverse side is a PK (#​7081) (ce4bfee)
• core: support wildcard wrap(e).populate() hints on type level (45224ee)
• mongo: fix field name conversion when querying object embedded entities (3ea8193)
• postres: fix casting of object embedded relation properties (6095889)

v6.6.3

Compare Source

Bug Fixes

• core: do not connect to database when calling orm.close() (79cabd7), closes #​7041
• core: don't reset entity identifiers when using assign on entity references (#​7048) (ca5d9b8)
• core: handle custom types properly in em.refresh (#​7061) (7dc5d7d)
• defineEntity: avoid circular type inference in meta (#​7039) (a18e63d)
• query-builder: do not reset schema when creating subquery for collection operators (4f4ea6d), closes #​7053
• schema: ensure SchemaGenerator respects skipTables option when diffing a schema (#​7040) (40fa85a)

v6.6.2

Compare Source

Bug Fixes

• core: deprecate some EM and MikroORM methods (551b1df)
• core: fix joining embedded entity with virtual property (2a76b1d), closes #​7023
• core: handle BigInt in Date hydration (#​7003) (236b429), closes #​7002

Features

• core: use upsert when adding items to not initialized M:N collections (#​7019) (268f378), closes #​6625

Performance Improvements

• core: store subscribers in Set to deduplicate them by identity (#​7010) (a41c498), closes #​7009

v6.6.1

Compare Source

Bug Fixes

• core: try to infer property types regardless of inferDefaultValues option (98eef5e)
• mongo: fix processing of nested lazy scalar properties (94927c6), closes #​6994
• mongo: respect property fieldName on index creation (#​6979) (44998c0), closes #​6978
• mysql: ensure raw values are rehydrated after flush (9a86383), closes #​6968
• query-builder: do not require transaction when for LockMode.NONE (6c2a4b6), closes #​6969

Performance Improvements

• core: simplify processing of scalars that use simple ORM provided type classes (15d7e74)

v6.6.0

Compare Source

Bug Fixes

• core: do not ignore updating the whole inlined embedded property to null (d0913f1), closes #​6966
• core: ensure base properties in STI entities won't be ignored when overridden in one child (b31ffec), closes #​6957
• core: ensure original entity data are in correct shape after merging (7a30cca), closes #​6951
• core: rehydrate nullable to-one properties that were discarded via filters with select-in strategy (3d58538), closes #​6460
• core: support falsy values in scalar references (#​6942) (a02c2a8)
• core: support type detection on classes with dots in their names like Temporal.Instant (8cca4a8), closes #​6953
• postgres: allow executing schema queries via knex in migrations (5196f24), closes #​6949
• reflection: support string literal properties (#​6960) (148ac75)

Features

• core: allow control over relation filters in entity definition (#​6959) (28a7e44), closes #​6457
• core: allow defining filters on nullable relations as strict (#​6952) (1dae6cf), closes #​6784 #​6943 #​6784
• core: allow disabling filters on relations (7798e57), closes #​6457
• core: support private properties with get/set accessors (#​6967) (659ca93), closes #​6932
• entity-generator: allow generating enums as type or JS dictionary (#​6956) (ccf24df), closes #​6457
• entity-generator: support generating defineEntity() definitions (#​6954) (d523f13)
• entity-generator: support native postgres enums (#​6958) (746e4bf)
• knex: reexport raw helper that supports QueryBuilder and Knex.QueryBuilder (#​6955) (897cc7f), closes #​6751 #​6782
• postgres: skip left joined relations from pessimistic locks automatically (ffb71a1), closes #​6412

6.5.9 (2025-10-23)

Bug Fixes

• core: add some missing options to defineEntity relation builders (#​6922) (3bedcca)
• core: ensure correct state of custom typed data after merging to existing results (5907da0), closes #​6926
• core: fix extra updates caused by em.refresh (3d12a8b), closes #​6940
• core: support auto-discovery of relation targets with defineEntity (a93f2e0)
• core: support custom classes in defineEntity relation property builders (8a03eca)
• core: update extends type in defineEntity and EntitySchema (#​6936) (589d0f3)
• postgres: do not create non-autoincrement simple PKs twice (89e139e)

6.5.8 (2025-10-13)

Bug Fixes

• core: don't skip diffing of non-hydrated properties (4a46bd8), closes #​6918
• core: enhance mapToPk() and remove default ref: true in defineEntity helper (#​6919) (f0d4e8e)
• core: improve auto flush detection for STI base classes (da5e993)
• core: rework support for partial loading of embedded properties (29091aa), closes #​6907
• core: support class-based entity definitions with defineEntity (#​6920) (aa7295e), closes /github.com/mikro-orm/mikro-orm/discussions/6865#discussioncomment-14465227
• mongo: support indexes on JSON properties (a9edc05), closes #​6899
• mongo: support upsert with nested onConflictFields on JSON properties (4eab82e), closes #​6900
• query-builder: do not ignore nested joins inside nested joins (a37d6fa)
• schema: fix down migrations with createForeignKeyConstraint property option (23e898b), closes #​6903
• schema: support raw fragments in check constraint expressions (ff360b0), closes #​6914

Features

• core: improve type-level support for composite keys with defineEntity helper (#​6912) (2d39dd0)

6.5.7 (2025-10-06)

Bug Fixes

• core: enhance branded type definitions for Opt, Hidden, Config and RequiredNullable (#​6884) (6ce418d)
• core: ensure nullable ScalarReference properties are loaded as initialized ScalarReference instances (#​6902) (51feb3b), closes #​6885
• core: mark autoincrement properties with Opt type in defineEntity helper (#​6910) (e2a8ed4)
• core: prefer id property over uuid property for default PK inference (7a9c834), closes #​6865
• core: skip entity validation when propagating to upper context in em.transactional (a3941a1), closes #​6895
• query-builder: expand embeddable fields on select (#​6896) (6b76f60)
• query-builder: support embedded fields in join conditions (#​6897) (409e0ef), closes #​6883

Features

• mongo: implement optimistic locking support for version properties (#​6887) (591fb43), closes #​3612 mikro-orm/mikro-orm#3612

Performance Improvements

• optimize merging of entities to upper context after em.transactional (36bdc43), closes #​6905
• optimize merging of entities to upper context after em.transactional (b29e88c), closes #​6890
• optimize merging of entities to upper context after em.transactional when it's empty (b7751d5), closes #​6890

6.5.6 (2025-09-25)

Bug Fixes

• core: account for nullability when applying default value (#​6880) (9763275), closes #​6879
• core: enhance type of bigint, array, decimal properties when using defineEntity helper (#​6873) (42e7df1), closes /github.com/mikro-orm/mikro-orm/discussions/6865#discussioncomment-14483413
• core: ensure em.refresh will refresh detached entities too (c156e30), closes #​6867
• core: prevent stack overflow errors when populating relations on lots of entities with select-in strategy (#​6874) (d5c23c7)

Features

• core: allow sha256 hashing in FileCacheAdapter (#​6866) (21d364d)
• schema: add skipTables and skipColumns options to schema generator (#​6870) (5937ab6), closes #​5346

6.5.5 (2025-09-21)

Bug Fixes

• core: add missing IncludeCount type argument to repo.findByCursor() (34c9630)
• core: correctly diff nullable properties between undefined and null (#​6864) (c30d1c9)
• core: skip mapping undeclared columns that match a different property name (#​6860) (b29527e), closes #​6861
• schema: improve diffing of generated columns (9a59ba6), closes #​6858

6.5.4 (2025-09-17)

Bug Fixes

• core: initialize collection properties after flushing an entity reference (83ca9c1), closes #​6855
• core: support inference of default value from property initializer with ref() (56e441d), closes #​6853
• query-builder: fix aliasing of 1:1 inverse side when used in a filter nested inside M:N relation (61969f6), closes #​6851

6.5.3 (2025-09-13)

Bug Fixes

• core: align implementation of filters in em.find and em.count (ead5074), closes #​6823
• core: export RequiredNullable from @mikro-orm/core (#​6836) (961ee74)
• core: fix propagation from em.transactional with composite custom type PK (0b82f43), closes #​6825
• core: include hidden properties when refreshing via em.refresh() (9a7bbc3), closes #​6828
• query-builder: properly wrap composite keys in join conditions (#​6831) (b720ca5), closes #​6830
• query-builder: skip branching on to-one joins (#​6826) (65812c4), closes #​6824

6.5.2 (2025-09-02)

Bug Fixes

• core: process owning sides of M:N relations in em.assign with onlyOwnProperties (#​6822) (099869f), closes #​6813
• migrations: improve extraction of Migration class (2dacc4b), closes #​6817
• query-builder: fix aliasing of conditions targeting a nested composite FK (b159342), closes #​6819
• query-builder: fix join conditions targeting a composite FK (3f88e9b), closes #​6819
• query-builder: fix processing deeply nested joins (d033729), closes #​6818
• query-builder: hydrate lazy properties regardless of populate hint (8b45281)

6.5.1 (2025-08-27)

• core: add indexName argument to index expression callback (b77c90f)

v6.5.9

Compare Source

Bug Fixes

• core: add some missing options to defineEntity relation builders (#​6922) (3bedcca)
• core: ensure correct state of custom typed data after merging to existing results (5907da0), closes #​6926
• core: fix extra updates caused by em.refresh (3d12a8b), closes #​6940
• core: support auto-discovery of relation targets with defineEntity (a93f2e0)
• core: support custom classes in defineEntity relation property builders (8a03eca)
• core: update extends type in defineEntity and EntitySchema (#​6936) (589d0f3)
• postgres: do not create non-autoincrement simple PKs twice (89e139e)

v6.5.8

Compare Source

Bug Fixes

• core: don't skip diffing of non-hydrated properties (4a46bd8), closes #​6918
• core: enhance mapToPk() and remove default ref: true in defineEntity helper (#​6919) (f0d4e8e)
• core: improve auto flush detection for STI base classes (da5e993)
• core: rework support for partial loading of embedded properties (29091aa), closes #​6907
• core: support class-based entity definitions with defineEntity (#​6920) (aa7295e), closes /github.com/mikro-orm/mikro-orm/discussions/6865#discussioncomment-14465227
• mongo: support indexes on JSON properties (a9edc05), closes #​6899
• mongo: support upsert with nested onConflictFields on JSON properties (4eab82e), closes #​6900
• query-builder: do not ignore nested joins inside nested joins (a37d6fa)
• schema: fix down migrations with createForeignKeyConstraint property option (23e898b), closes #​6903
• schema: support raw fragments in check constraint expressions (ff360b0), closes #​6914

Features

• core: improve type-level support for composite keys with defineEntity helper (#​6912) (2d39dd0)

v6.5.7

Compare Source

Bug Fixes

• core: enhance branded type definitions for Opt, Hidden, Config and RequiredNullable (#​6884) (6ce418d)
• core: ensure nullable ScalarReference properties are loaded as initialized ScalarReference instances (#​6902) (51feb3b), closes #​6885
• core: mark autoincrement properties with Opt type in defineEntity helper (#​6910) (e2a8ed4)
• core: prefer id property over uuid property for default PK inference (7a9c834), closes #​6865
• core: skip entity validation when propagating to upper context in em.transactional (a3941a1), closes #​6895
• query-builder: expand embeddable fields on select (#​6896) (6b76f60)
• query-builder: support embedded fields in join conditions (#​6897) (409e0ef), closes #​6883

Features

• mongo: implement optimistic locking support for version properties (#​6887) (591fb43), closes #​3612 mikro-orm/mikro-orm#3612

Performance Improvements

• optimize merging of entities to upper context after em.transactional (36bdc43), closes #​6905
• optimize merging of entities to upper context after em.transactional (b29e88c), closes #​6890
• optimize merging of entities to upper context after em.transactional when it's empty (b7751d5), closes #​6890

v6.5.6

Compare Source

Bug Fixes

• core: account for nullability when applying default value (#​6880) (9763275), closes #​6879
• core: enhance type of bigint, array, decimal properties when using defineEntity helper (#​6873) (42e7df1), closes /github.com/mikro-orm/mikro-orm/discussions/6865#discussioncomment-14483413
• core: ensure em.refresh will refresh detached entities too (c156e30), closes #​6867
• core: prevent stack overflow errors when populating relations on lots of entities with select-in strategy (#​6874) (d5c23c7)

Features

• core: allow sha256 hashing in FileCacheAdapter (#​6866) (21d364d)
• schema: add skipTables and skipColumns options to schema generator (#​6870) (5937ab6), closes #​5346

v6.5.5

Compare Source

Bug Fixes

• core: add missing IncludeCount type argument to repo.findByCursor() (34c9630)
• core: correctly diff nullable properties between undefined and null (#​6864) (c30d1c9)
• core: skip mapping undeclared columns that match a different property name (#​6860) (b29527e), closes #​6861
• schema: improve diffing of generated columns (9a59ba6), closes #​6858

v6.5.4

Compare Source

Bug Fixes

• core: initialize collection properties after flushing an entity reference (83ca9c1), closes #​6855
• core: support inference of default value from property initializer with ref() (56e441d), closes #​6853
• query-builder: fix aliasing of 1:1 inverse side when used in a filter nested inside M:N relation (61969f6), closes [#​6851](https

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.