@mikro-orm/core 7.0.10-dev.1 → 7.0.10-dev.11

package/entity/EntityHelper.js

@@ -7,7 +7,12 @@ import { ReferenceKind } from '../enums.js';
 import { helper } from './wrap.js';
 import { inspect } from '../logging/inspect.js';
 import { getEnv } from '../utils/env-vars.js';
-const entitySymbol = Symbol('Entity');
+// Globally registered so the marker survives the CJS/ESM dual-package hazard
+// (#7515) — `tsx` registers both an ESM and a CJS hook for the CLI and ends up
+// loading `@mikro-orm/core` twice. JSON payloads still cannot forge the marker
+// because Symbol-keyed properties have no JSON representation, which is the
+// threat model the symbol-vs-string switch in f7e59a5ce was guarding against.
+const entitySymbol = Symbol.for('@mikro-orm/core/EntityHelper.entity');
 /**
  * @internal
  */
@@ -39,11 +44,6 @@ export class EntityHelper {
             // toJSON can be overridden
             Object.defineProperty(prototype, 'toJSON', {
                 value: function (...args) {
-                    // Guard against being called on the prototype itself (e.g. by serializers
-                    // walking the object graph and calling toJSON on prototype objects)
-                    if (this === prototype) {
-                        return {};
-                    }
                     return EntityTransformer.toObject(this, ...args);
                 },
                 writable: true,
@@ -51,6 +51,22 @@ export class EntityHelper {
                 enumerable: false,
             });
         }
+        // Walkers / serializers reaching the prototype directly invoke its methods and
+        // accessors with `this === prototype`. Wrap each so that case is a no-op rather
+        // than throwing (when a user `@Property({ persist: false })` getter dereferences
+        // unhydrated instance state) or installing state on the prototype itself (#7151).
+        for (const name of Object.getOwnPropertyNames(prototype)) {
+            const desc = Object.getOwnPropertyDescriptor(prototype, name);
+            const fn = desc.get ?? desc.value;
+            if (name === 'constructor' || typeof fn !== 'function' || fn.__guarded) {
+                continue;
+            }
+            const guarded = function (...args) {
+                return this === prototype ? undefined : fn.apply(this, args);
+            };
+            guarded.__guarded = true;
+            Object.defineProperty(prototype, name, desc.get ? { ...desc, get: guarded } : { ...desc, value: guarded });
+        }
     }
     /**
      * As a performance optimization, we create entity state methods lazily. We first add

package/metadata/MetadataDiscovery.js

@@ -393,7 +393,7 @@ export class MetadataDiscovery {
             }
             if (prop.joinColumns.length > 1) {
                 prop.ownColumns = prop.joinColumns.filter(col => {
-                    return !meta.props.find(p => p.name !== prop.name && (!p.fieldNames || p.fieldNames.includes(col)));
+                    return !meta.props.find(p => p.name !== prop.name && p.fieldNames?.includes(col));
                 });
             }
             if (!prop.ownColumns || prop.ownColumns.length === 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mikro-orm/core",
-  "version": "7.0.10-dev.1",
+  "version": "7.0.10-dev.11",
   "description": "TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.",
   "keywords": [
     "data-mapper",

package/unit-of-work/UnitOfWork.js

@@ -1188,20 +1188,21 @@ export class UnitOfWork {
     }
     getCommitOrder() {
         const calc = new CommitOrderCalculator();
-        const set = new Set();
+        // keyed by `_id` so we return the SAME instances as the change set groups (GH #7511)
+        const metaById = new Map();
         this.#changeSets.forEach(cs => {
             if (cs.meta.inheritanceType === 'tpt') {
-                set.add(cs.meta);
+                metaById.set(cs.meta._id, cs.meta);
                 for (const parentCs of cs.tptChangeSets ?? []) {
-                    set.add(parentCs.meta);
+                    metaById.set(parentCs.meta._id, parentCs.meta);
                 }
             }
             else {
-                set.add(cs.rootMeta);
+                metaById.set(cs.rootMeta._id, cs.rootMeta);
             }
         });
-        set.forEach(meta => calc.addNode(meta._id));
-        for (const meta of set) {
+        metaById.forEach(meta => calc.addNode(meta._id));
+        for (const meta of metaById.values()) {
             for (const prop of meta.relations) {
                 if (prop.polymorphTargets) {
                     for (const targetMeta of prop.polymorphTargets) {
@@ -1213,11 +1214,11 @@ export class UnitOfWork {
                 }
             }
             // For TPT, parent table must be inserted BEFORE child tables
-            if (meta.inheritanceType === 'tpt' && meta.tptParent && set.has(meta.tptParent)) {
+            if (meta.inheritanceType === 'tpt' && meta.tptParent && metaById.has(meta.tptParent._id)) {
                 calc.addDependency(meta.tptParent._id, meta._id, 1);
             }
         }
-        return calc.sort().map(id => this.#metadata.getById(id));
+        return calc.sort().map(id => metaById.get(id));
     }
     resetTransaction(oldTx) {
         if (oldTx) {

package/utils/QueryHelper.js

@@ -106,7 +106,10 @@ export class QueryHelper {
                 Object.keys(where).every(k => !Utils.isPlainObject(where[k]) ||
                     Object.keys(where[k]).every(v => {
                         if (Utils.isOperator(v, false)) {
-                            return true;
+                            // multi-value operators (e.g. `$in`/`$nin`) cannot be inlined into a composite
+                            // PK tuple — `getPrimaryKeyValues` would flatten the operator's array alongside
+                            // the sibling PK values, producing a malformed `(col1, col2) IN ((a, b))` clause
+                            return !meta.compositePK || !Array.isArray(where[k][v]);
                         }
                         if (meta.properties[k].primary &&
                             [ReferenceKind.ONE_TO_ONE, ReferenceKind.MANY_TO_ONE].includes(meta.properties[k].kind)) {

package/utils/RawQueryFragment.d.ts

@@ -4,6 +4,8 @@ declare const rawFragmentSymbolBrand: unique symbol;
 export type RawQueryFragmentSymbol = symbol & {
     readonly [rawFragmentSymbolBrand]: true;
 };
+/** Checks whether the given value is a `RawQueryFragment` instance. */
+export declare function isRaw(value: unknown): value is RawQueryFragment;
 /** Represents a raw SQL fragment with optional parameters, usable as both a value and an object key via Symbol coercion. */
 export declare class RawQueryFragment<Alias extends string = string> {
     #private;
@@ -30,8 +32,6 @@ export declare class RawQueryFragment<Alias extends string = string> {
     static getKnownFragment(key: unknown): RawQueryFragment | undefined;
 }
 export { RawQueryFragment as Raw };
-/** Checks whether the given value is a `RawQueryFragment` instance. */
-export declare function isRaw(value: unknown): value is RawQueryFragment;
 /** @internal */
 export declare const ALIAS_REPLACEMENT = "[::alias::]";
 /** @internal */

package/utils/RawQueryFragment.js

@@ -1,21 +1,53 @@
 import { Utils } from './Utils.js';
-const rawSymbol = Symbol('RawQueryFragment');
+// Brand lives on the prototype so JSON payloads — whose proto is
+// `Object.prototype` — cannot forge it. String key, not a `Symbol.for(...)`,
+// so each CJS/ESM copy of this module independently installs it on its own
+// prototype without publishing a global key for the marker that controls raw
+// SQL assembly. The string is namespaced so it does not collide with property
+// names users might independently install on their own prototypes.
+const RAW_FRAGMENT_BRAND = '__mikroOrmRawFragment';
+// Back-references from a fragment's symbol key to the fragment itself, shared
+// across CJS/ESM module copies via globalThis: when one copy creates a fragment
+// via `raw('…')` and stores its symbol in a where-clause object key, the other
+// copy still needs to recover the original fragment to assemble SQL.
+const REGISTRY_KEY = Symbol.for('@mikro-orm/core/RawQueryFragment.references');
+const rawQueryReferences = (globalThis[REGISTRY_KEY] ??=
+    new WeakMap());
+/** Checks whether the given value is a `RawQueryFragment` instance. */
+export function isRaw(value) {
+    if (value == null || typeof value !== 'object') {
+        return false;
+    }
+    // Fast path: intra-module instances and their subclasses.
+    // eslint-disable-next-line no-use-before-define
+    if (value instanceof RawQueryFragment) {
+        return true;
+    }
+    // Walk the prototype chain starting from the *prototype* (not the value) so
+    // own-property spoofing from JSON payloads cannot forge the brand. Stop at
+    // `Object.prototype`, which is never branded — that bails plain objects,
+    // JSON payloads, and built-ins like `Date`/`Array`/`Map` at depth 1.
+    for (let p = Object.getPrototypeOf(value); p != null && p !== Object.prototype; p = Object.getPrototypeOf(p)) {
+        if (Object.hasOwn(p, RAW_FRAGMENT_BRAND)) {
+            return true;
+        }
+    }
+    return false;
+}
 /** Represents a raw SQL fragment with optional parameters, usable as both a value and an object key via Symbol coercion. */
 export class RawQueryFragment {
     sql;
     params;
-    static #rawQueryReferences = new WeakMap();
     #key;
     constructor(sql, params = []) {
         this.sql = sql;
         this.params = params;
-        Object.defineProperty(this, rawSymbol, { value: true, enumerable: false });
     }
     /** Returns a unique symbol key for this fragment, creating and caching it on first access. */
     get key() {
         if (!this.#key) {
             this.#key = Symbol(this.toJSON());
-            RawQueryFragment.#rawQueryReferences.set(this.#key, this);
+            rawQueryReferences.set(this.#key, this);
         }
         return this.#key;
     }
@@ -42,7 +74,7 @@ export class RawQueryFragment {
     }
     /** Checks whether the given value is a symbol that maps to a known raw query fragment. */
     static isKnownFragmentSymbol(key) {
-        return typeof key === 'symbol' && this.#rawQueryReferences.has(key);
+        return typeof key === 'symbol' && rawQueryReferences.has(key);
     }
     /** Checks whether an object has any symbol keys that are known raw query fragments. */
     static hasObjectFragments(object) {
@@ -51,20 +83,17 @@ export class RawQueryFragment {
     }
     /** Checks whether the given value is a RawQueryFragment instance or a known fragment symbol. */
     static isKnownFragment(key) {
-        if (key instanceof RawQueryFragment) {
-            return true;
-        }
-        return this.isKnownFragmentSymbol(key);
+        return isRaw(key) || this.isKnownFragmentSymbol(key);
     }
     /** Retrieves the RawQueryFragment associated with the given key (instance or symbol). */
     static getKnownFragment(key) {
-        if (key instanceof RawQueryFragment) {
+        if (isRaw(key)) {
             return key;
         }
         if (typeof key !== 'symbol') {
             return;
         }
-        return this.#rawQueryReferences.get(key);
+        return rawQueryReferences.get(key);
     }
     /** @ignore */
     /* v8 ignore next */
@@ -75,11 +104,19 @@ export class RawQueryFragment {
         return { sql: this.sql };
     }
 }
+// Non-enumerable so the brand is skipped by JSON/Object.keys/for-in, and locked
+// down (non-writable, non-configurable) so in-process code cannot delete or
+// overwrite it and thereby silently disable `isRaw` recognition for every
+// fragment in the process. Subclasses don't need mutability here — they inherit
+// the brand via the prototype chain, and sibling-copy classes install their own
+// brand on their own prototype (a different object), so lockdown only blocks
+// tampering with the canonical marker.
+Object.defineProperty(RawQueryFragment.prototype, RAW_FRAGMENT_BRAND, {
+    value: true,
+    writable: false,
+    configurable: false,
+});
 export { RawQueryFragment as Raw };
-/** Checks whether the given value is a `RawQueryFragment` instance. */
-export function isRaw(value) {
-    return typeof value === 'object' && value !== null && Object.hasOwn(value, rawSymbol);
-}
 /** @internal */
 export const ALIAS_REPLACEMENT = '[::alias::]';
 /** @internal */
@@ -140,7 +177,7 @@ export const ALIAS_REPLACEMENT_RE = '\\[::alias::\\]';
  * ```
  */
 export function raw(sql, params) {
-    if (sql instanceof RawQueryFragment) {
+    if (isRaw(sql)) {
         return sql;
     }
     if (sql instanceof Function) {

package/utils/Utils.js

@@ -22,13 +22,22 @@ export function compareObjects(a, b) {
     if (a === b || (a == null && b == null)) {
         return true;
     }
-    if (!a || !b || typeof a !== 'object' || typeof b !== 'object' || !compareConstructors(a, b)) {
+    if (!a || !b || typeof a !== 'object' || typeof b !== 'object') {
         return false;
     }
+    // Raw fragments are compared by `sql` + `params` *before* the constructor
+    // check, so that two fragments carrying the same SQL but constructed by
+    // different CJS/ESM copies of this module (different classes, different
+    // prototypes) still compare as equal. Without this, the dual-package hazard
+    // would produce spurious change-set diffs when a raw fragment is used as a
+    // property value.
     if (isRaw(a) && isRaw(b)) {
         // eslint-disable-next-line @typescript-eslint/no-use-before-define
         return a.sql === b.sql && compareArrays(a.params, b.params);
     }
+    if (!compareConstructors(a, b)) {
+        return false;
+    }
     if (a instanceof Date && b instanceof Date) {
         const timeA = a.getTime();
         const timeB = b.getTime();
@@ -132,7 +141,7 @@ export function parseJsonSafe(value) {
 /** Collection of general-purpose utility methods used throughout the ORM. */
 export class Utils {
     static PK_SEPARATOR = '~~~';
-    static #ORM_VERSION = '7.0.10-dev.1';
+    static #ORM_VERSION = '7.0.10-dev.11';
     /**
      * Checks if the argument is instance of `Object`. Returns false for arrays.
      */
@@ -647,8 +656,10 @@ export class Utils {
      * Extracts all possible values of a TS enum. Works with both string and numeric enums.
      */
     static extractEnumValues(target) {
-        const keys = Object.keys(target);
-        const values = Object.values(target);
+        // skip namespace-merged functions (GH #7500)
+        const entries = Object.entries(target).filter(([, v]) => typeof v !== 'function');
+        const keys = entries.map(([k]) => k);
+        const values = entries.map(([, v]) => v);
         const numeric = !!values.find(v => typeof v === 'number');
         const constEnum = values.length % 2 === 0 && // const enum will have even number of items
             values.slice(0, values.length / 2).every(v => typeof v === 'string') && // first half are strings

package/utils/fs-utils.js

@@ -14,10 +14,11 @@ export const fs = {
         if (tinyGlobby) {
             globSync = (patterns, options) => {
                 patterns = Utils.asArray(patterns).map(p => p.replace(/\\/g, '/'));
-                if (options?.cwd) {
-                    options = { ...options, cwd: options.cwd.replace(/\\/g, '/') };
-                }
-                return tinyGlobby.globSync(patterns, { ...options, expandDirectories: false });
+                // never forward `cwd: undefined` — tinyglobby >= 0.2.16 calls `path.resolve(undefined)` and throws
+                return tinyGlobby.globSync(patterns, {
+                    expandDirectories: false,
+                    ...(options?.cwd && { cwd: options.cwd.replace(/\\/g, '/') }),
+                });
             };
         }
     },