TypeORM

registrynpm

package nametypeorm

maintainerTypeORM Contributors

TypeORM is a TypeScript ORM supporting PostgreSQL, MySQL, SQLite, MongoDB, and other databases, using decorators and entity classes for schema definition. It is widely used in NestJS applications and Angular backends. TypeORM's data source configuration holds database credentials that are read at startup.

api usage

Checking TypeORM

typeorm 0.3.20 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=typeorm&version=0.3.20" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "typeorm",
  "version": "0.3.20",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

ORM data source initialization reads plaintext credentials from configuration or environment variables before the first query is executed. A backdoored ORM can exfiltrate these credentials during the startup sequence.

Attestd monitors typeorm using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages NestJS Core Prisma Client Drizzle ORM postgresql CVE coverage Response fields