🚨 [security] Update drizzle-orm 0.44.5 → 0.45.2 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ drizzle-orm (0.44.5 → 0.45.2) · Repo

Security Advisories 🚨

🚨 Drizzle ORM has SQL injection via improperly escaped SQL identifiers

Summary

Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks.

As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL.

Affected components

The issue affects the identifier escaping logic used by the PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects.

Impact

This issue only affects applications that pass untrusted runtime input into identifier or alias construction. Common examples include dynamic sorting, dynamic report builders, and CTE or alias names derived from request parameters.

Depending on the database dialect, query context, and database permissions, successful exploitation may enable blind or direct data disclosure, schema enumeration, query manipulation, privilege escalation, or destructive operations.

Applications that use only static schema objects, or that strictly map user input through an allowlist of known column or alias names, are not affected.

Details

In affected versions, escapeName() wrapped the identifier but did not escape the quote delimiter inside the identifier value:

• PostgreSQL / SQLite / Gel: " was not doubled to ""
• MySQL / SingleStore: ` was not doubled to ``

Because of this, crafted input containing the dialect-specific identifier delimiter could break out of the quoted identifier and be interpreted as SQL syntax.

A representative vulnerable pattern is dynamic sorting using untrusted input:

const sortField = req.query.sort || 'id';
const rows = await db

.select()

.from(users)

.orderBy(sql.identifier(sortField));

Release Notes

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped
  causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @EthanKim88, @0x90sh and @wgoodall01 for reaching out to us with a reproduction and suggested fix

0.45.1

• Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden require() (#5107)

0.45.0

• Fixed pg-native Pool detection in node-postgres transactions
• Allowed subqueries in select fields
• Updated typo algorythm => algorithm
• Fixed $onUpdate not handling SQL values (fixes #2388, tests implemented by L-Mario564 in #2911)
• Fixed pg mappers not handling Date instances in bun-sql:postgresql driver responses for date, timestamp types (fixes #4493)

0.44.7

• fix durable sqlite transaction return value #3746 - thanks @joaocstro

0.44.6

• feat: add $replicas reference #4874

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 56 commits:

• + 0.45.2 (#5534)
• Kit updates (#5490)
• feat(drizzle-kit): support d1 via binding (#5302)
• Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden `require()` (fixes #5107) (#5118)
• Merge pull request #5095 from drizzle-team/main-workflows
• Merge branch 'main' into main-workflows
• refactor: Update condition for run-feature job to improve clarity and functionality
• Merge pull request #5087 from drizzle-team/main-workflows
• chore: Comment out NEON_HTTP_CONNECTION_STRING requirement in release workflows
• refactor: Simplify release router workflow by removing unnecessary switch job and consolidating secret inheritance
• Merge remote-tracking branch 'origin/ext-deps-kit' into main-workflows
• +
• feat: Add release router workflow to manage feature and latest releases
• Merge pull request #5002 from drizzle-team/main-next-pack
• Credited author of copied tests in changelog
• Merge branch 'main' of https://github.com/drizzle-team/drizzle-orm into main-next-pack
• Fixed `bun-sql:postgresql` date, timestamp mappers not accounting for `Date` instances in driver response, updated changelogs
• Fixed `SQL` in `` (fixes #2388, rework of #2911 with handling in proper place)
• fix: update permissions for GitHub releases in workflow files
• chore: Update version to 0.31.8 and add changelog for bug fixes
• fix: Update external dependencies in build configuration
• Removed unneeded lefrover changes
• Merge remote-tracking branch 'origin/main'
• +
• Merge pull request #5036 from drizzle-team/kit-checks
• Merge branch 'main' into kit-checks
• fix: Update permissions and streamline npm configuration in release workflows
• Merge pull request #5035 from drizzle-team/kit-checks
• fix: Add environment variables for npm authentication in release workflow
• fix: Fix release-latest
• Merge pull request #5034 from drizzle-team/kit-checks
• +
• +
• fix npm release
• fix npm release
• fix: Update Docker image tag from 'latest' to '6' in createDockerDB function
• fix: Update version to 0.31.7 and add changelog for bug fixes
• fix: Refine CHECK constraint query in pgSerializer
• Version fix
• Version bump, added changelogs
• Fix: Updated algorithm typo (#1676)
• Feat: Allow subqueries in select fields (#1674)
• Build fix
• Fix pg-native Pool transactions (#1708)
• [Drizzle Kit]: Extend api (#4999)
• fix durable sqlite transaction return value (#3746)
• Merge pull request #4826 from divyenduz/patch-1
• Merge branch 'main' into patch-1
• dprint
• Merge branch 'feat/issue-4873'
• dprint
• feat: add `$replicas` reference (#4874)
• Bump version
• Merge branch 'main' into feat/issue-4873
• [Drizzle Kit]: Add casing support to studio configuration and related functions (#4940)
• Merge branch 'main' into feat/issue-4873

🆕 @​emnapi/core (added, 1.4.3)

🆕 @​emnapi/runtime (added, 1.4.3)

🆕 @​emnapi/wasi-threads (added, 1.0.2)

🆕 @​napi-rs/wasm-runtime (added, 0.2.11)

🆕 @​tybys/wasm-util (added, 0.9.0)

🆕 tslib (added, 2.8.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
snippetslibrary-v2	Error		Apr 8, 2026 2:08am