fix: do not replace :replacements inside of strings (#14472)

package.json

@@ -61,6 +61,7 @@
     "@octokit/rest": "^18.12.0",
     "@octokit/types": "^6.34.0",
     "@types/chai": "^4.3.0",
+    "@types/lodash": "4.14.182",
     "@types/mocha": "^9.0.0",
     "@types/node": "^16.11.17",
     "@types/sinon": "^10.0.6",

src/dialects/abstract/index.d.ts

@@ -0,0 +1,106 @@
+import type { Dialect } from '../../sequelize.js';
+import type { AbstractQuery } from './query.js';
+
+export declare type DialectSupports = {
+  'DEFAULT': boolean;
+  'DEFAULT VALUES': boolean;
+  'VALUES ()': boolean;
+  'LIMIT ON UPDATE': boolean;
+  'ON DUPLICATE KEY': boolean;
+  'ORDER NULLS': boolean;
+  'UNION': boolean;
+  'UNION ALL': boolean;
+  'RIGHT JOIN': boolean;
+  EXCEPTION: boolean;
+  forShare?: 'LOCK IN SHARE MODE' | 'FOR SHARE' | undefined;
+  lock: boolean;
+  lockOf: boolean;
+  lockKey: boolean;
+  lockOuterJoinFailure: boolean;
+  skipLocked: boolean;
+  finalTable: boolean;
+  returnValues: false | {
+    output: boolean;
+    returning: boolean;
+  };
+  autoIncrement: {
+    identityInsert: boolean;
+    defaultValue: boolean;
+    update: boolean;
+  };
+  bulkDefault: boolean;
+  schemas: boolean;
+  transactions: boolean;
+  settingIsolationLevelDuringTransaction: boolean;
+  transactionOptions: {
+    type: boolean;
+  };
+  migrations: boolean;
+  upserts: boolean;
+  inserts: {
+    ignoreDuplicates: string;
+    updateOnDuplicate: boolean | string;
+    onConflictDoNothing: string;
+    conflictFields: boolean;
+  };
+  constraints: {
+    restrict: boolean;
+    addConstraint: boolean;
+    dropConstraint: boolean;
+    unique: boolean;
+    default: boolean;
+    check: boolean;
+    foreignKey: boolean;
+    primaryKey: boolean;
+    onUpdate: boolean;
+  };
+  index: {
+    collate: boolean;
+    length: boolean;
+    parser: boolean;
+    concurrently: boolean;
+    type: boolean;
+    using: boolean | number;
+    functionBased: boolean;
+    operator: boolean;
+    where: boolean;
+  };
+  groupedLimit: boolean;
+  indexViaAlter: boolean;
+  JSON: boolean;
+  JSONB: boolean;
+  ARRAY: boolean;
+  RANGE: boolean;
+  NUMERIC: boolean;
+  GEOMETRY: boolean;
+  GEOGRAPHY: boolean;
+  REGEXP: boolean;
+  /**
+   * Case-insensitive regexp operator support ('~*' in postgres).
+   */
+  IREGEXP: boolean;
+  HSTORE: boolean;
+  TSVECTOR: boolean;
+  deferrableConstraints: boolean;
+  tmpTableTrigger: boolean;
+  indexHints: boolean;
+  searchPath: boolean;
+};
+
+export declare abstract class AbstractDialect {
+  /**
+   * List of features this dialect supports.
+   *
+   * Important: Dialect implementations inherit these values.
+   * When changing a default, ensure the implementations still properly declare which feature they support.
+   */
+  static readonly supports: DialectSupports;
+  readonly defaultVersion: string;
+  readonly Query: typeof AbstractQuery;
+  readonly name: Dialect;
+  readonly TICK_CHAR: string;
+  readonly TICK_CHAR_LEFT: string;
+  readonly TICK_CHAR_RIGHT: string;
+  readonly queryGenerator: unknown;
+  get supports(): DialectSupports;
+}

src/sequelize.js

@@ -26,6 +26,7 @@ const { BelongsTo } = require('./associations/belongs-to');
 const HasOne = require('./associations/has-one');
 const { BelongsToMany } = require('./associations/belongs-to-many');
 const { HasMany } = require('./associations/has-many');
+const { injectReplacements } = require('./utils/sql');
 
 /**
  * This is the main class, the entry point to sequelize.
@@ -598,11 +599,7 @@ class Sequelize {
     }
 
     if (options.replacements) {
-      if (Array.isArray(options.replacements)) {
-        sql = Utils.format([sql].concat(options.replacements), this.options.dialect);
-      } else {
-        sql = Utils.formatNamedParameters(sql, options.replacements, this.options.dialect);
-      }
+      sql = injectReplacements(sql, this.dialect, options.replacements);
     }
 
     let bindParameters;
@@ -629,7 +626,7 @@ class Sequelize {
       checkTransaction();
 
       const connection = await (options.transaction ? options.transaction.connection : this.connectionManager.getConnection(options));
-      
+
       if (this.options.dialect === 'db2' && options.alter) {
         if (options.alter.drop === false) {
           connection.dropTable = false;

src/sql-string.d.ts

@@ -1,5 +1,5 @@
 export type Escapable = undefined | null | boolean | number | string | Date;
 export function escapeId(val: string, forbidQualified?: boolean): string;
-export function escape(val: Escapable | Escapable[], timeZone?: string, dialect?: string, format?: string): string;
+export function escape(val: Escapable | Escapable[], timeZone?: string, dialect?: string, format?: boolean): string;
 export function format(sql: string, values: unknown[], timeZone?: string, dialect?: string): string;
 export function formatNamedParameters(sql: string, values: unknown[], timeZone?: string, dialect?: string): string;

src/utils.js

@@ -114,13 +114,26 @@ function pluralize(str) {
 }
 exports.pluralize = pluralize;
 
+/**
+ * @deprecated use {@link injectReplacements} instead. This method has been removed in v7.
+ *
+ * @param {[string, ...unknown[]]} arr - first item is the SQL, following items are the positional replacements.
+ * @param {AbstractDialect} dialect
+ */
 function format(arr, dialect) {
   const timeZone = null;
   // Make a clone of the array beacuse format modifies the passed args
   return SqlString.format(arr[0], arr.slice(1), timeZone, dialect);
 }
 exports.format = format;
 
+/**
+ * @deprecated use {@link injectReplacements} instead. This method has been removed in v7.
+ *
+ * @param {string} sql
+ * @param {object} parameters
+ * @param {AbstractDialect} dialect
+ */
 function formatNamedParameters(sql, parameters, dialect) {
   const timeZone = null;
   return SqlString.formatNamedParameters(sql, parameters, timeZone, dialect);