Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here:
Bind parameters are like replacements. Except replacements are escaped
and inserted into the query by sequelize before the query is sent to
the database, while bind parameters are sent to the database outside
the SQL query text. A query can have either bind parameters or
replacements.
Only SQLite and PostgreSQL support bind parameters. Other dialects
will insert them into the SQL query in the same way it is done for
replacements. Bind parameters are referred to by either $1, $2, ...
(numeric) or $key (alpha-numeric). This is independent of the dialect.
