fix(deps): update dependency @adonisjs/lucid to v21 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@adonisjs/lucid	18.3.0 → 21.8.2

GitHub Vulnerability Alerts

CVE-2026-22814

Summary

Description
A Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @​adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @​adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

Details

A vulnerability in the BaseModelImpl class of @adonisjs/lucid may allow an attacker to overwrite internal class properties (such as $isPersisted, $attributes, or $isDeleted) when passing plain objects to model assignment methods.

The library relies on a this.hasOwnProperty(key) check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like $isPersisted) into the payload passed to merge() or $consumeAdapterResult(), they can hijack the ORM's internal logic.

The exposed internal properties include:

• $attributes: The raw storage for model data.
• $isPersisted: Controls whether save() performs an INSERT or an UPDATE.
• $original: Stores the original state of the record used to calculate changes.
• $isDeleted: Prevents operations on deleted models.

This issue propagates to the entire write surface of the library, including:

• Instance methods fill and merge.
• Single record creation methods create, createQuietly, firstOrNew, and firstOrCreate.
• Conditional updates via updateOrCreate.
• Bulk operations createMany, createManyQuietly, fetchOrNewUpMany, fetchOrCreateMany, and updateOrCreateMany.

Impact

Applications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the hasOwnProperty check and bypass Lucid's default rejection of unknown properties.

Applications utilizing strict allow lists for input validation that discard unknown properties are not affected.

For example, if a developer passes request.all(), request.except() or a schema with allowUnknownProperties to Model.create(), the ORM's internal logic can be hijacked. Because the Model.create() > save() decision is based on $isPersisted, and merge() can assign to the own-property $isPersisted, an attacker who can inject "$isPersisted": true into the payload can force save() to take the UPDATE branch rather than the INSERT branch, while setting $attributes can bypass validators or field restrictions.

Patches

This issue has been patched in @​adonisjs/lucid version 21.8.2 and 22.0.0-next.6. Please upgrade to this version or later.

Developers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.

---

Release Notes

adonisjs/lucid (@​adonisjs/lucid)

v21.8.2: Prevent mass assignment vulnerability

Compare Source

Security update for CVE-2026-22814.

This release fixes a mass assignment vulnerability in Lucid that could allow user input to override internal ORM state properties.

The issue was caused by relying on hasOwnProperty checks during model assignments, which unintentionally allowed setting internal properties like $attributes, $original, or $isPersisted when passing untrusted input to methods such as fill, merge, or create.

Applications that already properly validate and whitelist input data before passing it to Lucid models are not affected.

v21.8.1: Support VineJS v4

Compare Source

Bug Fixes

• nullable relation types (#​1130) (a4e44c9)

What's Changed

• fix: nullable relation types by @​aadamcik in #​1130

Full Changelog: adonisjs/lucid@v21.8.0...v21.8.1

v21.8.0: Use natural sort when executing seeders and display migration filename during error in compact mode

Compare Source

Bug Fixes

• natural order on seeder (#​1120) (5b63a48)

Features

• show file name in which the migration failed when using the --compact-output flag (#​1108) (4e7589f)

What's Changed

• fix: natural order on seeder by @​NewZAZ in #​1120
• Improve logging for failed migrations with --compact-output flag set by @​Barabasbalazs in #​1108

New Contributors

• @​NewZAZ made their first contribution in #​1120
• @​Barabasbalazs made their first contribution in #​1108

Full Changelog: adonisjs/lucid@v21.7.0...v21.8.0

v21.7.0: Extend sideload data, perform model.save without triggering hooks and bug fixes

Compare Source

Bug Fixes

• Push related records when creating relationships via factory (9893ed1), closes #​1100
• use app.nodeEnvironment as label for the ignored seeder (c925b0d), closes #​1088

Features

• allow optional relation types (#​1097) (863f95a)
• extend sideload (#​1099) (a80678a)
• orm: add quiet variant for CRUD method (#​1094) (d25eeec)
• orm: add saveQuietly (#​1093) (b9c7ec6)

v21.6.1: Fix issue for disableTransactions flag being ignored for schema classes

Compare Source

Bug Fixes

• read disableTransactions flag from the current schema class (8cfc7b3)

What's Changed

• docs : update exists binding with correct comments by @​ranseur92 in #​1084
• Remove unnecessary override for strtok3 by @​ThisIsMissEm in #​1091

New Contributors

• @​ranseur92 made their first contribution in #​1084
• @​ThisIsMissEm made their first contribution in #​1091

Full Changelog: adonisjs/lucid@v21.6.0...v21.6.1

v21.6.0: Handful of small improvements

Compare Source

Features

• add db connection event types (4862c7d)
• model_query_builder: add error.model for E_ROW_NOT_FOUND; (#​1081) (334186f)
• preloader: add preloadOnce to preload a relationship only once (#​1078) (fbfadbe)

What's Changed

• Add db connection event types by @​adrianNEMO in #​1074
• feat(preloader): add preloadOnce to preload a relationship only once by @​zaosoula in #​1078
• added decimalNumbers config to connection properties for compatibility to mysql by @​siddiquipro in #​1080
• feat(model_query_builder): add error.model for E_ROW_NOT_FOUND; by @​radiumrasheed in #​1081

New Contributors

• @​adrianNEMO made their first contribution in #​1074
• @​radiumrasheed made their first contribution in #​1081

Full Changelog: adonisjs/lucid@v21.5.1...v21.6.0

v21.5.1: Fix model.transaction method to behave exactly as db.transction

Compare Source

Bug Fixes

• Model.transaction always create a transaction and do not re-use existing one (1afdd81)

Full Changelog: adonisjs/lucid@v21.5.0...v21.5.1

v21.5.0: Improvements to unique and exists rule and add isDirty method

Compare Source

Bug Fixes

• use correct property name for reading local primary key value (65790bf), closes #​1069

Features

• add isDirty method (#​1068) (151f862)
• add meta to all relations (#​1042) (ade635f)
• add support for creating transaction client from model (4a2adcd)
• allow unique and exists validations to perform case insensitive search (761f823)

What's Changed

• feat: add meta to all relations by @​zaosoula in #​1042
• feat: add isDirty method by @​adamcikado in #​1068
• feat: unique accept options as object by @​Xstoudi in #​1012

New Contributors

• @​zaosoula made their first contribution in #​1042
• @​Xstoudi made their first contribution in #​1012

Full Changelog: adonisjs/lucid@v21.4.0...v21.5.0

v21.4.0: Export relationships query clients and allow instanceName config property

Compare Source

Features

• export relation's query client (#​1061) (597cf40)

What's Changed

• Add missing instanceName to the MssqlConnectionNode type by @​Imunal in #​1063
• feat: export relation's query client by @​adamcikado in #​1061

New Contributors

• @​Imunal made their first contribution in #​1063

Full Changelog: adonisjs/lucid@v21.3.0...v21.4.0

v21.3.0: Bug fixes and new features

Compare Source

• Feat: Add loadOnce method to preload a relationship only when its not already preloaded.
• Feat: Add support for --compact-output in migration:reset and migration:refresh commands.
• Feat: Export Adapter and ModelPaginator from the ORM.
• Fix: Clone the preloader when cloning the query builder

Bug Fixes

• Clone the preloader when cloning the query builder (#​1050) (18103ea)
• lint script (edc3d3a)
• run migration:reset via migrate test utils (9f669dd)

Features

• add support for --compact-output flag in reset and refresh commands (89322f9)
• export Adapter from orm (#​1030) (cbbb4fd)
• export ModelPaginator class (#​1051) (76dd1e5)
• orm: add loadOnce to lazy load a relationship only once (#​1052) (96df6a6)

What's Changed

• export Adapter from orm by @​siddiquipro in #​1030
• feat: Export ModelPaginator Class by @​aayush123 in #​1051
• Clone the preloader when cloning the query builder by @​RomainLanz in #​1050
• feat(orm): add loadOnce by @​RomainLanz in #​1052

New Contributors

• @​siddiquipro made their first contribution in #​1030

Full Changelog: adonisjs/lucid@v21.2.0...v21.3.0

v21.2.0: Pin strtok3 and fix relationship query builder to apply constraints on subqueries

Compare Source

• fix: pin strtok3 version 0699d06
• chore: update dependencies 45e43c1
• fix: apply constraints in whereIn condition (#​1037) c131bc7

What's Changed

• fix: apply relationship constraints when using sub query in whereIn condition by @​adamcikado in #​1037

Full Changelog: adonisjs/lucid@v21.1.1...v21.2.0

v21.1.1: Fix - Cleanup connection resources when using read replicas

Compare Source

• test: fix failing tests 14f345a
• test: add test for connection resource cleanup with replicas 2e002b7
• fix: connection resource cleanup logic a9eac4b
• fix: cleanup of resources when using replicas aa0a573
• chore: update dependencies 2aee01a
• chore: update dependencies 2d25ef0

Full Changelog: adonisjs/lucid@v21.1.0...v21.1.1

v21.1.0: Display dialect names in configure prompts

Compare Source

• refactor: configure command to display dialect name in prompts 596c153

v21.0.1: Fix for last release

Compare Source

• fix: broken import of libsql client 1afc648

Full Changelog: adonisjs/lucid@v21.0.0...v21.0.1

v21.0.0: Support for libSQL and new health checks

Compare Source

This release adds first-class support for libSQL and removes all options + types + methods related to legacy way of doing health checks. Instead, you must use the following two classes to register health checks with AdonisJS v6.

import db from '@​adonisjs/lucid/services/db'
import { DbConnectionCountCheck, DbCheck } from '@​adonisjs/lucid/database'

new HealthChecks().register([
  new DbCheck(db.connection()),
  new DbConnectionCountCheck(db.connection())
])

Breaking changes

• The config.healthCheck property
• Remove connection.getReport method.
• Remove connectionManager.report method.
• Remove ReportNode type.

Deprecations

• Deprecate connection.dialectName in favor of connection.clientName. The clientName refers to the npm clients you can use with Knex and dialectName refers to the Lucid dialects. One dialect can be used with multiple clients. For example, the MySQL dialect can be used with mysql and mysql2 clients.

Commits

• test: another attempt at fixing broken tests 8a4df1c
• test: fix breaking tests 2d9697b
• refactor: update usages of dialectName with clientName 7fedbfe
• feat: add support for libsql and cleanup clients to dialects mapping 95f11d1
• feat: export health check classes 1b32dca
• feat: add database health checks and remove legacy health check flag 0373e7f
• refactor: remove legacy health checks 32f377e
• test: fix broken types 44da18c
• chore: update peer dependencies 9dbd7fc
• chore: update dependencies bdc32b5

Full Changelog: adonisjs/lucid@v20.6.0...v21.0.0

v20.6.0: Improvements to the DateTime comparison when using "orCreate" methods

Compare Source

In this release, we improve the comparison logic used by firstOrCreate, firstOrNew, and updateOrCreate methods to properly compare Luxon DateTime instances when finding or persisting a new row.

Commits

• Merge pull request #​991 from adamcikado/develop 94b666a
• fix: compare DateTime in newUpIfMissing 669bdb3
• Merge pull request #​1017 from adamcikado/feat/exports 92ed475
• fix: some typos (#​1024) ba5961b
• chore: update postgresql version 7315d0e
• chore: update version & add cross-env 52906a5
• Merge pull request #​1023 from MaximeMRF/fix/step-option-migrator b084678
• fix(migrator): step option 781c479
• feat: add missing exports 5d87cf8

What's Changed

• fix(migrator): step option by @​MaximeMRF in #​1023
• fix some typos by @​TiBianMod in #​1024
• feat: add missing exports by @​adamcikado in #​1017
• fix: compare DateTime in newUpIfMissing by @​adamcikado in #​991

New Contributors

• @​TiBianMod made their first contribution in #​1024
• @​adamcikado made their first contribution in #​1017

Full Changelog: adonisjs/lucid@v20.5.1...v20.6.0

v20.5.1: Add clause variant to findBy method

Compare Source

Latest 20.5.0 was missing some commits.
This release is published only as a patch since 20.5.0 was released a few minutes ago.

• feat(base_model): add clause variant to findBy method (#​1020) 059c472
• fix(base_model): correct typing for findManyBy c22f019
• Merge pull request #​1013 from MaximeMRF/feat-step-option-migrator 196c97c
• feat(Migrator): add step option 4012129

v20.5.0: Add step option to the migrator

Compare Source

What's Changed

• fix: omit double quotes from connection name by @​pokedpeter in #​983
• feat(base_model): add findManyBy method by @​RomainLanz in #​1010
• feat(Migrator): add step option by @​MaximeMRF in #​1013

Full Changelog: adonisjs/lucid@v20.3.1...v20.5.0

v20.4.0: Add support for pretty printing debug queries and findMany helper method

Compare Source

Related documentation for few features

• https://lucid.adonisjs.com/docs/debugging#pretty-printing-debug-queries
• https://lucid.adonisjs.com/docs/crud-operations#findmanyby

Commits

• chore(release): 20.3.1 8e1f3a7
• style: remove unused imports f989fb6
• feat: add support for pretty print debug queries f3976b9
• Merge pull request #​1010 from adonisjs/feat/findMany 4427c8d
• style: lint e0a2b03
• fix(base_model): execute the query in findManyBy deb0052
• feat(base_model): add findManyBy method ea41f57
• fix: omit double quotes from connection name (#​983) 8c333e0
• chore: fix url in readme 67ba462
• fix(configure): correct call to logger.error 2754e5c

What's Changed

• fix: omit double quotes from connection name by @​pokedpeter in #​983
• feat(base_model): add findManyBy method by @​RomainLanz in #​1010

Full Changelog: adonisjs/lucid@v20.3.0...v20.4.0

v20.3.1: Correct call to logger.error when configuring the package

Compare Source

• fix(configure): correct call to logger.error 2754e5c

v20.3.0: Bug fixes and new API on BaseModel

Compare Source

This release fixes the dropAllTables implementation for SQLite so that we can drop tables even when unsafe mode is disabled.

Also, a new model method lockForUpdate has been added. This method refetches the model instance from the database and locks the row for update. This allows you to perform updates without running into race-conditions. For example:

// Assuming you already have a model instance.

const user = auth.user.lockForUpdate((newUser) => {
  // newUser is a fresh model instance and now row is locked inside the database
  newUser.email = newEmail
  await newUser.save()
  return newUser
})

Commits

• test: reset tables between tests 1b47ba7
• feat: add model.lockForUpdate method to lock the model row for updates 703e6b5
• chore(package): update dependencies 018c4ce
• refactor: change sqlite dropAllTables implementation (#​1001) 5c18c76

What's Changed

• refactor: change sqlite dropAllTables implementation by @​Julien-R44 in #​1001

Full Changelog: adonisjs/lucid@v20.2.0...v20.3.0

v20.2.0: Add exists and unique bindings to VineNumber & drop postgres domain

Compare Source

What's Changed

• fix(vinejs): add exists and unique bindings to VineNumber by @​Tahul in #​998
• Update database_provider.ts by @​amir-mohammad-HP in #​1002
• feat: drop postgres domain by @​MaximeMRF in #​981

New Contributors

• @​Tahul made their first contribution in #​998
• @​amir-mohammad-HP made their first contribution in #​1002

Full Changelog: adonisjs/lucid@v20.1.0...v20.2.0

v20.1.0: Add DatabaseTestUtils

Compare Source

This release adds the DatabaseTestUtils class, which includes some helpers for writing tests that interacts your database, such as migration/seeding/truncating and global transactions to keep a clean state between each test.

See full documentation here : https://docs.adonisjs.com/guides/database-tests

Commits

• feat: add DatabaseTestUtils (#​988) 9c845f6
• feat: add @​adonisjs/lucid/migration submodule 629ca32

Full Changelog: adonisjs/lucid@v20.0.0...v20.1.0

v20.0.0: Switch default naming strategy to camelCase and add support for nulls treatment in order by clause

Compare Source

Breaking change

• In this release we switch the naming strategy of the ORM and the Paginator to return camelCase output for the serialized object keys. This should have made its way in the last release, but somehow missed it. You can switch back to SnakeCase strategy by explicitly assigning it to the BaseModel. https://lucid.adonisjs.com/docs/model-naming-strategy

Switching back to snake_case naming strategy

If you like to keep using the old snake case naming strategy, then you can copy-paste the following code inside a service provider of your application.

import { SnakeCaseNamingStrategy } from '@​adonisjs/lucid/orm'
import { BaseModel } from '@​adonisjs/lucid/orm'

export default class AppProvider {
  async boot() {
     BaseModel.namingStrategy = new SnakeCaseNamingStrategy()
  }
}

New features

Add support for defining treatment of null values in orderBy method. For example:

orderBy([
  { column: 'expires_at', order: 'desc', nulls: 'last' },
  { column: 'last_used_at', order: 'desc', nulls: 'first' }
])

The above method calls will add compile to ORDER BY expires_at desc NULLS LAST and ORDER BY last_used_at desc NULLS FIRST sql statements

Commits

• feat: add support for nulls property for orderby method signature b4af593
• chore(package): update dependencies 4777edc
• chore: remove @types/pluralize from dependencies cee062c
• Merge pull request #​986 from adonisjs/feat/serialize_to_camelcase d33b9b1
• refactor: use camelCase naming strategy with paginator also 7e35cc2
• fix: remove unused imports d327871
• feat: change naming strategy to output camelCase key names in serialized output c835376
• chore: update dependencies 718c68f
• fix(seeds): correct log for ignored seed 71708b8

What's Changed

• Breaking change - Switch ORM naming strategy to CamelCase by @​thetutlage in #​986
• chore: remove @types/pluralize from dependencies by @​targos in #​987

Full Changelog: adonisjs/lucid@v19.0.0...v20.0.0

v19.0.0: Stable major release

Compare Source

Please consult the following releases to learn more about the breaking changes.

• Breaking changes - https://github.com/adonisjs/lucid/releases/tag/v19.0.0-0
• Breaking changes - https://github.com/adonisjs/lucid/releases/tag/v19.0.0-1
• Breaking changes - https://github.com/adonisjs/lucid/releases/tag/v19.0.0-5

Commits

• chore: publish under latest tag f664a07
• Merge pull request #​982 from adonisjs/v6-next 24a14cf
• refactor: fix mess created by the merge 57d9ca7
• Merge branch 'develop' into v6-next 0ee3ee6
• refactor: export stubsRoot ae090bd
• chore(package): update dependencies 06422e1
• feat(QueryBuilder/where): add null type to where clause (#​967) 2790fe9
• fix(migrator): set primary key for schema_versions table (#​945) 0fac231
• Revert "fix(migrator): exception class expect two arguments" 498c308
• fix(migrator): exception class expect two arguments 947e851
• fix(migrator): await rollback when changing migration format 19dad5b
• fix: DateTime equality in $dirty (#​929) f72c991
• fix(configure): change localhost to 127.0.0.1 0417d84
• chore(release): 18.4.1 14befae
• test(component): fix references to missing types upon compiling in tests (#​951) 62ae085
• chore: add engines key c5a9f51
• feat(adonis-typings/relations.ts): typing support for nullable 1-1 relations (hasOne and belongsTo) (#​944) b7ec9d4

What's Changed

• fix: correct path for exporting types by @​RomainLanz in #​955
• fix(provider): properly define the adapter for the base model by @​RomainLanz in #​956
• fix(configure): add commands to the rc file by @​RomainLanz in #​954
• fix(types): allow belongs to and has one to be null by @​RomainLanz in #​958
• fix(migrator): set primary key for schema_versions table by @​RomainLanz in #​957
• fix(datetime): check equalities properly by @​RomainLanz in #​959
• fix: DateTime equality in $dirty by @​sadiqueWiseboxs in #​929
• fix(configure): add missing luxon install by @​RomainLanz in #​964
• feat(errors): use new way to define exceptions by @​RomainLanz in #​966
• fix: correct a typo in the readme by @​maevdb in #​969
• fix(migrator): set primary key for schema_versions table by @​RomainLanz in #​945
• feat(QueryBuilder/where): add null type to where clause by @​MaximeMRF in #​967
• fix: release connection in provider shutdown by @​Julien-R44 in #​977
• refactor(orm): use naming strategy for computed field by @​RomainLanz in #​970
• Merge to develop for final release by @​thetutlage in #​982

New Contributors

• @​sadiqueWiseboxs made their first contribution in #​929
• @​maevdb made their first contribution in #​969
• @​MaximeMRF made their first contribution in #​967

Full Changelog: adonisjs/lucid@v18.4.1...v19.0.0

v18.4.2: Change default env variable values

Compare Source

• fix(configure): change localhost to 127.0.0.1 0417d84

Full Changelog: adonisjs/lucid@v18.4.1...v18.4.2

v18.4.1: Relations can now be nullable

Compare Source

What's Changed

• Enhancement: Nullable 1-1 Relations by @​the-mediocre-dev in #​944
• test(component): fix references to missing types upon compiling in tests by @​pokedpeter in #​951

New Contributors

• @​the-mediocre-dev made their first contribution in #​944
• @​pokedpeter made their first contribution in #​951

Full Changelog: adonisjs/lucid@v18.4.0...v18.4.1

v18.4.0: Add support for disabling locks during migrations

Compare Source

• docs(README): update github actions badge url 5562cef
• chore: update knex-dynamic-connection package version 0e51132
• ci: not running mssql tests on node 14 as tedious does not support it ecb7d77
• style: format source code 92f0de6
• chore: update dependencies f59ef9e
• refactor: update disable-locks flag description 05f28e4
• feat: add disable-locks flag (#​932) 9bf8f24
• Use import type for importing type (#​922) 8955b12

What's Changed

• Use import type for importing type by @​shahshahid81 in #​922
• feat: add disable-locks flag by @​Reptiluka in #​932

New Contributors

• @​shahshahid81 made their first contribution in #​922
• @​Reptiluka made their first contribution in #​932

Full Changelog: adonisjs/lucid@v18.3.0...v18.4.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.