Does Sequelize.js escape input for SQL injection by default?

Question

If I try to use Sequelize.js like this:

model.user.create
(
    {
        username : user_name,
        password : hashed_password
    },
    {
        attribute : ['id'],
        raw : true
    }
);

Will Sequelize.js ensure user_name will not cause any SQL injection or should I make sure to escape it before handing it off to Sequelize.js ? (in model, both username and password are just type : Sequelize.TEXT)

Answer 1

From what I see in the source code for Sequelize v4 and v5, the insertQuery() function is escaping everything it can in the generated query. Here is the actual escape() function implementation.