Remove built-in pgpass support. (#3636)

brianc · web-flow · commit cb85dad389f6 · 2026-03-06T01:15:15.000-06:00
* Remove built-in pgpass support.

* Add documentation on using pgpass
diff --git a/docs/pages/guides/_meta.js b/docs/pages/guides/_meta.js
@@ -3,4 +3,5 @@ export default {
   'async-express': 'Express with Async/Await',
   'pool-sizing': 'Pool Sizing',
   upgrading: 'Upgrading',
+  pgpass: 'Using .pgpass',
 }
diff --git a/docs/pages/guides/pgpass.md b/docs/pages/guides/pgpass.md
@@ -0,0 +1,39 @@
+---
+title: Using .pgpass
+---
+
+PostgreSQL supports a [.pgpass](https://www.postgresql.org/docs/current/libpq-pgpass.html) file for storing passwords. The file is located at `~/.pgpass` on Unix systems and `%APPDATA%\postgresql\pgpass.conf` on Windows. Each line in the file has the format:
+
+```
+hostname:port:database:username:password
+```
+
+You can use the [pgpass](https://www.npmjs.com/package/pgpass) module together with the `password` callback to look up passwords from your `.pgpass` file:
+
+```js
+import pg from 'pg'
+import pgpass from 'pgpass'
+
+const { Pool } = pg
+
+const pool = new Pool({
+  user: 'my-user',
+  host: 'localhost',
+  database: 'my-db',
+  password: (config) => {
+    return new Promise((resolve, reject) => {
+      const connection = {
+        host: config.host,
+        port: config.port,
+        database: config.database,
+        user: config.user,
+      }
+      pgpass(connection, (password) => {
+        resolve(password)
+      })
+    })
+  },
+})
+```
+
+The `password` option accepts an async function (or a function that returns a `Promise`). It is called with the connection parameters, so you can pass them directly to `pgpass` for lookup.
diff --git a/packages/pg/lib/client.js b/packages/pg/lib/client.js
@@ -20,12 +20,6 @@ const queryQueueDeprecationNotice = nodeUtils.deprecate(
   'Client.queryQueue is deprecated and will be removed in pg@9.0.'
 )
 
-const pgPassDeprecationNotice = nodeUtils.deprecate(
-  () => {},
-  'pgpass support is deprecated and will be removed in pg@9.0. ' +
-    'You can provide an async function as the password property to the Client/Pool constructor that returns a password instead. Within this function you can call the pgpass module in your own code.'
-)
-
 const byoPromiseDeprecationNotice = nodeUtils.deprecate(
   () => {},
   'Passing a custom Promise implementation to the Client/Pool constructor is deprecated and will be removed in pg@9.0.'
@@ -248,42 +242,29 @@ class Client extends EventEmitter {
   }
 
   _getPassword(cb) {
-    const con = this.connection
-    if (typeof this.password === 'function') {
-      this._Promise
-        .resolve()
-        .then(() => this.password(this.connectionParameters))
-        .then((pass) => {
-          if (pass !== undefined) {
-            if (typeof pass !== 'string') {
-              con.emit('error', new TypeError('Password must be a string'))
-              return
-            }
-            this.connectionParameters.password = this.password = pass
-          } else {
-            this.connectionParameters.password = this.password = null
-          }
-          cb()
-        })
-        .catch((err) => {
-          con.emit('error', err)
-        })
-    } else if (this.password !== null) {
+    if (typeof this.password !== 'function') {
       cb()
-    } else {
-      try {
-        const pgPass = require('pgpass')
-        pgPass(this.connectionParameters, (pass) => {
-          if (undefined !== pass) {
-            pgPassDeprecationNotice()
-            this.connectionParameters.password = this.password = pass
-          }
-          cb()
-        })
-      } catch (e) {
-        this.emit('error', e)
-      }
+      return
     }
+    const con = this.connection
+    this._Promise
+      .resolve()
+      .then(() => this.password(this.connectionParameters))
+      .then((pass) => {
+        if (pass !== undefined) {
+          if (typeof pass !== 'string') {
+            con.emit('error', new TypeError('Password must be a string'))
+            return
+          }
+          this.connectionParameters.password = this.password = pass
+        } else {
+          this.connectionParameters.password = this.password = null
+        }
+        cb()
+      })
+      .catch((err) => {
+        con.emit('error', err)
+      })
   }
 
   _handleAuthCleartextPassword(msg) {
diff --git a/packages/pg/package.json b/packages/pg/package.json
@@ -35,15 +35,15 @@
     "pg-connection-string": "^2.12.0",
     "pg-pool": "^3.13.0",
     "pg-protocol": "^1.13.0",
-    "pg-types": "2.2.0",
-    "pgpass": "1.0.5"
+    "pg-types": "2.2.0"
   },
   "devDependencies": {
     "@cloudflare/vitest-pool-workers": "0.8.23",
     "@cloudflare/workers-types": "^4.20230404.0",
     "async": "2.6.4",
     "bluebird": "3.7.2",
     "co": "4.6.0",
+    "pgpass": "1.0.5",
     "pg-copy-streams": "0.3.0",
     "typescript": "^4.0.3",
     "vitest": "~3.0.9",

Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,5 @@ export default {`
`3`	`3`	`'async-express': 'Express with Async/Await',`
`4`	`4`	`'pool-sizing': 'Pool Sizing',`
`5`	`5`	`upgrading: 'Upgrading',`
	`6`	`+ pgpass: 'Using .pgpass',`
`6`	`7`	`}`