Skip to content

feat(pg-connection-string): warn if non-standard ssl options are used#3473

Merged
brianc merged 2 commits into
masterfrom
push-qkwyoukwlmvl
Jul 7, 2025
Merged

feat(pg-connection-string): warn if non-standard ssl options are used#3473
brianc merged 2 commits into
masterfrom
push-qkwyoukwlmvl

Conversation

@hjr3

@hjr3 hjr3 commented May 26, 2025

Copy link
Copy Markdown
Collaborator

In preparation for v3.0.0, we start warning users to be explicit about the sslmode they want.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented May 26, 2025

Copy link
Copy Markdown

Deploying node-postgres with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6bdb0b7
Status: ✅  Deploy successful!
Preview URL: https://f5d22a97.node-postgres.pages.dev
Branch Preview URL: https://push-qkwyoukwlmvl.node-postgres.pages.dev

View logs

@charmander charmander left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could warn this way for repeat callers: https://nodejs.org/api/process.html#avoiding-duplicate-warnings

In preparation for v3.0.0, we start warning users to be explicit about
the sslmode they want.
@hjr3 hjr3 force-pushed the push-qkwyoukwlmvl branch from 5af779f to c546e88 Compare May 27, 2025 13:58
@hjr3

hjr3 commented May 27, 2025

Copy link
Copy Markdown
Collaborator Author

Could warn this way for repeat callers: https://nodejs.org/api/process.html#avoiding-duplicate-warnings

TIL - implemented

Comment thread packages/pg-connection-string/index.js Outdated
@brianc brianc merged commit c8fb1e9 into master Jul 7, 2025
15 checks passed
@brianc brianc deleted the push-qkwyoukwlmvl branch July 7, 2025 22:33
@jawj

jawj commented May 18, 2026

Copy link
Copy Markdown
Contributor

Has the change that drives this warning been discussed elsewhere?

Usually I would be all for adopting the standard or upstream semantics — but I actually think this is an example where libpq gets it badly wrong and current node-postgres has historically done much better. libpq'ssslmode=require really sounds secure but it absolutely is not: this is a serious footgun that people are shooting themselves in the foot with all the time.

The change here means that, if and when developers upgrade node-postgres to 9.0, connections that used to be secure will suddenly become insecure. I mean, hopefully they'll see the warning and do something about it ... but surely many will not.

IMHO it would be much better to have users actively opt in to this downgrade in TLS protection. That would mean keeping the uselibpqcompat flag, and keeping it false by default.

As I understand it, node-postgres historically treats every sslmode from require upwards as not just verify-full, but as sslrootcert=system. IMHO this is also behaviour that libpq got wrong and node-postgres got right. If the developer asks for verify-full and doesn't provide a root CA cert, libpq throws. In the same situation, node-postgres validates against the system root CA certs. That matches the behaviour of https and is the logic I think most current developers would expect.

Is it proposed to match libpq here too, and throw an error if the user specifies sslmode=verify-full without also providing a certificate? I don't think it should be — but that's also where the logic of matching libpq takes you.

@hjr3

hjr3 commented May 18, 2026

Copy link
Copy Markdown
Collaborator Author

@jawj there was a long discussion on #2709

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants