CVE-2023-22578: Redirecting…

### Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ```ts User.findAll({ attributes: [ ['count(id)', 'count'] ] }); ``` Produced ```sql SELECT count(id) AS "count" FROM "users" ``` ### Patches This feature was deprecated in Sequelize 5, and using it prints a deprecation warning. This issue has been patched in [`@sequelize/[email protected]`](https://github.com/sequelize/sequelize/pull/15374) and [`[email protected]`](https://github.com/sequelize/sequelize/pull/15710). In Sequelize 7, it now produces the following: ```sql SELECT "count(id)" AS "count" FROM "users" ``` In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequ...