Gathering detailed insights and metrics for sequelize
Gathering detailed insights and metrics for sequelize
Feature-rich ORM for modern Node.js and TypeScript, it supports PostgreSQL (with JSON and JSONB support), MySQL, MariaDB, SQLite, MS SQL Server, Snowflake, Oracle DB (v6), DB2 and DB2 for IBM i.
Installations
npm install sequelizeDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=10.0.0
Node Version
18.20.7
NPM Version
10.8.2
Score
88.2
Supply Chain
92.8
Quality
85.2
Maintenance
100
Vulnerability
99.6
License
Releases
487
Languages
4
TypeScript
JavaScript
Shell
Batchfile
TypeScript (50.66%)
JavaScript (49.09%)
Shell (0.25%)
Developer
Download Statistics
Total Downloads
417,590,178
Last Day
305,782
Last Week
1,910,148
Last Month
8,165,385
Last Year
99,223,980
GitHub Statistics
MIT License
30,006 Stars
11,517 Commits
4,294 Forks
404 Watchers
41 Branches
1,070 Contributors
Updated on May 30, 2025
Bundle Size
1.74 MB
Minified
327.00 kB
Minified + Gzipped
Sponsor this package
Maintainers
8
Package Meta Information
Latest Version
6.37.7
Package Id
sequelize@6.37.7
Unpacked Size
2.77 MB
Size
593.49 kB
File Count
300
NPM Version
10.8.2
Node Version
18.20.7
Published on
Mar 28, 2025
Total Downloads
Cumulative downloads
Total Downloads
417,590,178
Last Day
1.2%
305,782
Compared to previous day
Last Week
-3.7%
1,910,148
Compared to previous week
Last Month
7.2%
8,165,385
Compared to previous month
Last Year
15.8%
99,223,980
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
16
Dev Dependencies
60
@commitlint/cli@commitlint/config-angular@octokit/rest@octokit/types@types/chai@types/lodash@types/mocha@types/node@types/sinon@typescript-eslint/eslint-plugin@typescript-eslint/parseracornchaichai-as-promisedchai-datetimecheeriocls-hookedcopyfilescross-envdelayesbuildesdocesdoc-ecmascript-proposal-pluginesdoc-inject-style-pluginesdoc-standard-plugineslinteslint-plugin-jsdoceslint-plugin-mochaexpect-typefast-globfs-jetpackhuskyibm_dbjs-combinatoricslcov-result-mergerlint-stagedmariadbmarkdownlint-climochamodule-aliasmysql2node-hooknycoracledbp-mapp-propsp-settlep-timeoutpgpg-hstorerimrafsemantic-releasesemantic-release-fail-on-major-bumpsinonsinon-chaisnowflake-sdksource-map-supportsqlite3tedioustypescript
Sequelize
Sequelize is an easy-to-use and promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, DB2, Microsoft SQL Server, and Snowflake. It features solid transaction support, relations, eager and lazy loading, read replication and more.
Would you like to contribute? Read our contribution guidelines to know more. There are many ways to help! 😃
🚀 Seeking New Maintainers for Sequelize! 🚀
We're looking for new maintainers to help finalize and release the next major version of Sequelize! If you're passionate about open-source and database ORMs, we'd love to have you onboard.
💰 Funding Available
We distribute $2,500 per quarter among maintainers and have additional funds for full-time contributions.
🛠️ What You’ll Work On
- Finalizing and releasing Sequelize’s next major version
- Improving TypeScript support and database integrations
- Fixing critical issues and shaping the ORM’s future
🤝 How to Get Involved
Interested? Join our Slack and reach out to @WikiRik or @sdepold:
➡️ sequelize.org/slack
We’d love to have you on board! 🚀
:computer: Getting Started
Ready to start using Sequelize? Head to sequelize.org to begin!
:money_with_wings: Supporting the project
Do you like Sequelize and would like to give back to the engineering team behind it?
We have recently created an OpenCollective based money pool which is shared amongst all core maintainers based on their contributions. Every support is wholeheartedly welcome. ❤️
:pencil: Major version changelog
Please find upgrade information to major versions here:
:book: Resources
:wrench: Tools
- CLI
- With TypeScript
- Enhanced TypeScript with decorators
- For GraphQL
- For CockroachDB
- Awesome Sequelize
- For YugabyteDB
:speech_balloon: Translations
:warning: Responsible disclosure
If you have security issues to report, please refer to our Responsible Disclosure Policy for more details.
Critical
9.8/10
Summary
SQL Injection in sequelize
Affected Versions
>= 5.0.0, < 5.15.1
Patched Versions
5.15.1
Critical
9.8/10
Summary
SQL Injection in sequelize
Affected Versions
< 4.44.3
Patched Versions
4.44.3
Critical
9.8/10
Summary
SQL Injection via GeoJSON in sequelize
Affected Versions
>= 3.4.0, < 3.23.6
Patched Versions
3.23.6
Critical
10/10
Summary
Sequelize - Default support for “raw attributes” when using parentheses
Affected Versions
< 6.29.0
Patched Versions
6.29.0
Critical
10/10
Summary
Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements
Affected Versions
<= 6.28.2
Patched Versions
6.29.0
Critical
10/10
Summary
Unsafe fall-through in getWhereConditions
Affected Versions
< 6.28.1
Patched Versions
6.28.1
Critical
10/10
Summary
Sequelize vulnerable to SQL Injection via replacements
Affected Versions
< 6.19.1
Patched Versions
6.19.1
Critical
9.8/10
Summary
SQL Injection in sequelize
Affected Versions
< 3.35.1
Patched Versions
3.35.1
Critical
9.8/10
Summary
SQL Injection in sequelize
Affected Versions
>= 5.0.0, < 5.8.11
Patched Versions
5.8.11
Critical
9.8/10
Summary
SQL Injection in sequelize
Affected Versions
>= 4.0.0, < 4.44.3
Patched Versions
4.44.3
Critical
9.8/10
Summary
SQL Injection in sequelize
Affected Versions
< 3.35.1
Patched Versions
3.35.1
High
7.5/10
Summary
SQL Injection in sequelize
Affected Versions
>= 5.0.0, < 5.3.0
Patched Versions
5.3.0
High
7.5/10
Summary
SQL Injection in sequelize
Affected Versions
<= 3.19.3
Patched Versions
3.20.0
High
0/10
Summary
SQL Injection in sequelize
Affected Versions
<= 2.0.0-rc7
Patched Versions
2.0.0-rc8
High
0/10
Summary
NoSQL Injection in sequelize
Affected Versions
< 4.12.0
Patched Versions
4.12.0
High
0/10
Summary
SQL Injection in sequelize
Affected Versions
< 3.17.0
Patched Versions
3.17.0
High
0/10
Summary
Potential SQL Injection in sequelize
Affected Versions
<= 2.1.3
Patched Versions
3.0.0
Moderate
5.3/10
Summary
Sequelize information disclosure vulnerability
Affected Versions
< 6.28.1
Patched Versions
6.28.1
Moderate
0/10
Summary
Denial of Service in sequelize
Affected Versions
< 4.44.4
Patched Versions
4.44.4
Moderate
0/10
Summary
SQL Injection in sequelize
Affected Versions
<= 1.7.0-alpha2
Patched Versions
1.7.0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
no binaries found in the repo
Reason
SAST tool is run on all commits
Details
- Info: all commits (13) are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 9
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/autoupdate.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/sequelize/sequelize/autoupdate.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:319: update your workflow using https://app.stepsecurity.io/secureworkflow/sequelize/sequelize/ci.yml/main?enable=pin
- Info: 38 out of 40 GitHub-owned GitHubAction dependencies pinned
- Info: 7 out of 7 third-party GitHubAction dependencies pinned
Reason
3 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-8c25-f3mj-v6h8
- Warn: Project is vulnerable to: GHSA-vqfx-gj96-3w95
- Warn: Project is vulnerable to: GHSA-f598-mfpv-gmfx
Reason
Found 0/22 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/authors.yml:15
- Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/pr-title.yml:17
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/pr-title.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/authors.yml:10
- Info: topLevel 'contents' permission set to 'read': .github/workflows/auto-add-pending-approval.yml:7
- Warn: no topLevel permission defined: .github/workflows/auto-remove-awaiting-response-label.yml:1
- Warn: no topLevel permission defined: .github/workflows/autoupdate.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/notify.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-title.yml:9
- Warn: no topLevel permission defined: .github/workflows/semgrep.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yml:8
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.5
/10
Last Scanned on 2025-05-26
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More