fix: pin EQL install scripts to eql-2.2.1

coderdan · coderdan · commit c666853b64ed · 2026-05-21T18:19:28.000+10:00
Stack installed the EQL SQL bundle from an unpinned releases/latest URL. EQL's Latest GitHub release moved to the 2.3 line, so CI (and the CLI installer / Drizzle generator) started pulling EQL 2.3 while the code emits EQL 2.2 payloads (protect-ffi 0.21.4) — breaking STE-vec containment queries. Pin local/Dockerfile, the CLI installer, and the Drizzle migration generator to eql-2.2.1. The move to 2.3 happens with the protect-ffi 0.22.0 upgrade.
diff --git a/local/Dockerfile b/local/Dockerfile
@@ -2,8 +2,10 @@ FROM postgres:latest
 
 RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
 
-# Download latest EQL install script
-RUN curl -sLo /tmp/cipherstash-encrypt.sql https://github.com/cipherstash/encrypt-query-language/releases/latest/download/cipherstash-encrypt.sql
+# EQL install script, pinned to match the EQL payload format the code emits
+# (protect-ffi 0.21.x -> EQL 2.2). Bump in lockstep with protect-ffi.
+ARG EQL_VERSION=eql-2.2.1
+RUN curl -sLo /tmp/cipherstash-encrypt.sql https://github.com/cipherstash/encrypt-query-language/releases/download/${EQL_VERSION}/cipherstash-encrypt.sql
 
 # Copy the custom entrypoint script and SQL files
 COPY postgres-entrypoint.sh /usr/local/bin/postgres-entrypoint.sh
diff --git a/packages/cli/src/installer/index.ts b/packages/cli/src/installer/index.ts
@@ -2,10 +2,13 @@ import { existsSync, readFileSync } from 'node:fs'
 import { dirname, join, resolve } from 'node:path'
 import pg from 'pg'
 
+// EQL release, pinned to match the EQL payload format this package emits.
+// Bump in lockstep with @cipherstash/protect-ffi.
+const EQL_VERSION = 'eql-2.2.1'
 const EQL_INSTALL_URL =
-  'https://github.com/cipherstash/encrypt-query-language/releases/latest/download/cipherstash-encrypt.sql'
+  `https://github.com/cipherstash/encrypt-query-language/releases/download/${EQL_VERSION}/cipherstash-encrypt.sql`
 const EQL_INSTALL_NO_OPERATOR_FAMILY_URL =
-  'https://github.com/cipherstash/encrypt-query-language/releases/latest/download/cipherstash-encrypt-supabase.sql'
+  `https://github.com/cipherstash/encrypt-query-language/releases/download/${EQL_VERSION}/cipherstash-encrypt-supabase.sql`
 const EQL_SCHEMA_NAME = 'eql_v2'
 
 /**
diff --git a/packages/drizzle/src/bin/generate-eql-migration.ts b/packages/drizzle/src/bin/generate-eql-migration.ts
@@ -4,8 +4,11 @@ import { readdir } from 'node:fs/promises'
 import { join, resolve } from 'node:path'
 import { detectRunner } from './runner.js'
 
+// EQL release, pinned to match the EQL payload format this package emits.
+// Bump in lockstep with @cipherstash/protect-ffi.
+const EQL_VERSION = 'eql-2.2.1'
 const EQL_INSTALL_URL =
-  'https://github.com/cipherstash/encrypt-query-language/releases/latest/download/cipherstash-encrypt.sql'
+  `https://github.com/cipherstash/encrypt-query-language/releases/download/${EQL_VERSION}/cipherstash-encrypt.sql`
 
 type CliArgs = {
   migrationName: string
