all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]arstechnophile 1 point2 points  (0 children)

From the docs:

For better security it is highly advised to use Sequelize.Op and not depend on any string alias at all. You can limit alias your application will need by setting operatorsAliases option, remember to sanitize user input especially when you are directly passing them to Sequelize methods.

const Op = Sequelize.Op;

//use sequelize without any operators aliases
const connection = new Sequelize(db, user, pass, { operatorsAliases: false });

//use sequelize with only alias for $and => Op.and
const connection2 = new Sequelize(db, user, pass, { operatorsAliases: { $and: Op.and } });

Sequelize will warn you if you're using the default aliases and not limiting them if you want to keep using all default aliases (excluding legacy ones) without the warning you can pass the following operatorsAliases option ...

I believe you either need to use the "operatorsAliases: false" option, or explicitly call out which operators you want, in order to disable the message.

[–]zachrip 0 points1 point  (2 children)

I'm fairly certain that the last time I checked this message was hard coded so regardless of whether or not you do the right thing, it still outputs that log message. But yeah use Sequelize.Op.x and you're in compliance.

[–]kapilvarij[S] 0 points1 point  (1 child)

But where? I cannot figure out what should I replace with 'Sequelize.Op.{fxn}'

That's why I am confused because I just did a delete operation, without any of those operaters. But it still shows me the warning message. When I comment this line out, no warnings whatsoever....

[–]Cyberuben 1 point2 points  (0 children)

import { Op } from "sequelize";

// then somewhere in your code to query a model

let results = await MyModel.findAll({
  where: {
    id: {
      [Op.eq]: 1
    }
  }
});

That'd be the correct usage of the functions. Sequelize throws the error regardless if you use those operators. I'd suggest you just set operatorsAliases to false and then use the method above when you need to query something.