Fix security vulnerabilities by upgrading drizzle-orm, hono, and vite

Upgrade drizzle-orm 0.44.5→0.45.2 (SQL injection fix), hono ^4.12.2→^4.12.12
(cookie/IP/path traversal fixes), vite ^7.3.1→^7.3.2 (WebSocket file read,
fs.deny bypass fixes), and drizzle-kit 0.31.1→0.31.10 for compatibility.
Add non-null assertions to c.req.param() calls to satisfy drizzle-orm 0.45's
stricter types.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bchapuis

apps/api/package.json

@@ -29,7 +29,7 @@
     "@types/node": "^22.19.7",
     "@types/three": "^0.181.0",
     "@types/wellknown": "^0.5.8",
-    "drizzle-kit": "0.31.1",
+    "drizzle-kit": "0.31.10",
     "globals": "^15.15.0",
     "partyserver": "^0.3.3",
     "typescript": "^5.9.3",
@@ -61,10 +61,10 @@
     "aws4fetch": "^1.0.20",
     "cloudflare": "^5.2.0",
     "cron-parser": "^5.4.0",
-    "drizzle-orm": "0.44.5",
+    "drizzle-orm": "0.45.2",
     "exifreader": "^4.36.0",
     "geotiff": "^2.1.3",
-    "hono": "^4.12.2",
+    "hono": "^4.12.12",
     "jose": "^6.1.3",
     "jsonpath-plus": "^10.3.0",
     "mailparser": "^3.9.1",

apps/api/src/routes/databases.ts

@@ -184,7 +184,7 @@ databaseRoutes.delete("/:id", async (c) => {
  * Get the schema of a database (tables, columns, foreign keys)
  */
 databaseRoutes.get("/:databaseId/schema", apiKeyOrJwtMiddleware, async (c) => {
-  const databaseId = c.req.param("databaseId");
+  const databaseId = c.req.param("databaseId")!;
   const { organizationId } = getAuthContext(c);
 
   const databaseService = new CloudflareDatabaseService(c.env);

apps/api/src/routes/endpoints.ts

@@ -201,7 +201,7 @@ endpointRoutes.on(
   apiKeyOrJwtMiddleware,
   (c, next) => createRateLimitMiddleware(c.env.RATE_LIMIT_EXECUTE)(c, next),
   async (c) => {
-    const id = c.req.param("id");
+    const id = c.req.param("id")!;
     const db = createDatabase(c.env.DB);
     const { organizationId, userId } = getAuthContext(c);
 

apps/api/src/routes/executions.ts

@@ -19,7 +19,7 @@ const executionRoutes = new Hono<ApiContext>();
 
 executionRoutes.get("/:id", apiKeyOrJwtMiddleware, async (c) => {
   const organizationId = c.get("organizationId")!;
-  const id = c.req.param("id");
+  const id = c.req.param("id")!;
 
   if (!isUuid(id)) {
     return c.json({ error: "Invalid execution ID format" }, 400);

apps/api/src/routes/oauth.ts

@@ -61,7 +61,7 @@ oauthRoutes.get(
   jwtMiddleware,
   resolveOrgFromQuery,
   async (c) => {
-    const providerName = c.req.param("provider");
+    const providerName = c.req.param("provider")!;
 
     try {
       const provider = getProvider(providerName);

apps/api/src/routes/workflows.ts

@@ -193,7 +193,7 @@ workflowRoutes.post(
  * Get a specific workflow by ID
  */
 workflowRoutes.get("/:id", jwtMiddleware, async (c) => {
-  const id = c.req.param("id");
+  const id = c.req.param("id")!;
   const organizationId = c.get("organizationId")!;
   const userId = c.var.jwtPayload?.sub;
 
@@ -248,7 +248,7 @@ workflowRoutes.put(
     }) as z.ZodType<UpdateWorkflowRequest>
   ),
   async (c) => {
-    const id = c.req.param("id");
+    const id = c.req.param("id")!;
     const workflowStore = new WorkflowStore(c.env);
 
     const organizationId = c.get("organizationId")!;
@@ -357,7 +357,7 @@ workflowRoutes.put(
  * Delete a workflow by ID
  */
 workflowRoutes.delete("/:id", jwtMiddleware, async (c) => {
-  const id = c.req.param("id");
+  const id = c.req.param("id")!;
   const workflowStore = new WorkflowStore(c.env);
 
   const organizationId = c.get("organizationId")!;
@@ -440,7 +440,7 @@ workflowRoutes.on(
   jwtMiddleware,
   (c, next) => createRateLimitMiddleware(c.env.RATE_LIMIT_EXECUTE)(c, next),
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const { organizationId } = getAuthContext(c);
 
     const workflowStore = new WorkflowStore(c.env);
@@ -490,7 +490,7 @@ workflowRoutes.on(
   jwtMiddleware,
   (c, next) => createRateLimitMiddleware(c.env.RATE_LIMIT_EXECUTE)(c, next),
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const { organizationId } = getAuthContext(c);
 
     const workflowStore = new WorkflowStore(c.env);
@@ -527,7 +527,7 @@ workflowRoutes.post(
   jwtMiddleware,
   async (c) => {
     const organizationId = c.get("organizationId")!;
-    const executionId = c.req.param("executionId");
+    const executionId = c.req.param("executionId")!;
     const executionStore = new CloudflareExecutionStore(c.env);
 
     // Get the execution to verify it exists and belongs to this organization
@@ -614,7 +614,7 @@ workflowRoutes.post(
  * Get queue trigger for a workflow
  */
 workflowRoutes.get("/:workflowId/queue-trigger", jwtMiddleware, async (c) => {
-  const workflowId = c.req.param("workflowId");
+  const workflowId = c.req.param("workflowId")!;
   const organizationId = c.get("organizationId")!;
   const workflowStore = new WorkflowStore(c.env);
   const db = createDatabase(c.env.DB);
@@ -655,7 +655,7 @@ workflowRoutes.put(
   jwtMiddleware,
   zValidator("json", UpsertQueueTriggerRequestSchema),
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const data = c.req.valid("json");
     const db = createDatabase(c.env.DB);
@@ -718,7 +718,7 @@ workflowRoutes.delete(
   "/:workflowId/queue-trigger",
   jwtMiddleware,
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const workflowStore = new WorkflowStore(c.env);
     const db = createDatabase(c.env.DB);
@@ -752,7 +752,7 @@ workflowRoutes.delete(
  * Get email trigger for a workflow
  */
 workflowRoutes.get("/:workflowId/email-trigger", jwtMiddleware, async (c) => {
-  const workflowId = c.req.param("workflowId");
+  const workflowId = c.req.param("workflowId")!;
   const organizationId = c.get("organizationId")!;
   const workflowStore = new WorkflowStore(c.env);
   const db = createDatabase(c.env.DB);
@@ -787,7 +787,7 @@ workflowRoutes.get(
   "/:workflowId/endpoint-trigger",
   jwtMiddleware,
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const workflowStore = new WorkflowStore(c.env);
     const db = createDatabase(c.env.DB);
@@ -831,7 +831,7 @@ workflowRoutes.put(
   jwtMiddleware,
   zValidator("json", UpsertEndpointTriggerRequestSchema),
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const data = c.req.valid("json");
     const db = createDatabase(c.env.DB);
@@ -898,7 +898,7 @@ workflowRoutes.delete(
   "/:workflowId/endpoint-trigger",
   jwtMiddleware,
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const workflowStore = new WorkflowStore(c.env);
     const db = createDatabase(c.env.DB);
@@ -933,7 +933,7 @@ workflowRoutes.delete(
  * Get bot trigger for a workflow
  */
 workflowRoutes.get("/:workflowId/bot-trigger", jwtMiddleware, async (c) => {
-  const workflowId = c.req.param("workflowId");
+  const workflowId = c.req.param("workflowId")!;
   const organizationId = c.get("organizationId")!;
   const workflowStore = new WorkflowStore(c.env);
   const db = createDatabase(c.env.DB);
@@ -968,7 +968,7 @@ workflowRoutes.post(
   "/:workflowId/bot-trigger/sync",
   jwtMiddleware,
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const workflowStore = new WorkflowStore(c.env);
     const db = createDatabase(c.env.DB);
@@ -1048,7 +1048,7 @@ workflowRoutes.post(
  * Delete a bot trigger for a workflow
  */
 workflowRoutes.delete("/:workflowId/bot-trigger", jwtMiddleware, async (c) => {
-  const workflowId = c.req.param("workflowId");
+  const workflowId = c.req.param("workflowId")!;
   const organizationId = c.get("organizationId")!;
   const workflowStore = new WorkflowStore(c.env);
   const db = createDatabase(c.env.DB);
@@ -1116,7 +1116,7 @@ workflowRoutes.patch(
     })
   ),
   async (c) => {
-    const workflowId = c.req.param("workflowId");
+    const workflowId = c.req.param("workflowId")!;
     const organizationId = c.get("organizationId")!;
     const { enabled } = c.req.valid("json");
 

apps/api/src/routes/ws.ts

@@ -14,7 +14,7 @@ wsRoutes.get("/:workflowId", jwtMiddleware, async (c) => {
     return c.json({ error: "Unauthorized" }, 401);
   }
 
-  const workflowId = c.req.param("workflowId");
+  const workflowId = c.req.param("workflowId")!;
 
   // getAgentByName initializes the partyserver name before returning the stub
   const stub = await getAgentByName(c.env.WORKFLOW_AGENT, workflowId);

apps/app/package.json

@@ -79,7 +79,7 @@
     "tailwindcss-animate": "^1.0.7",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
+    "vite": "^7.3.2",
     "vitest": "^4.1.0",
     "wrangler": "^4.76.0"
   }

apps/www/package.json

@@ -38,7 +38,7 @@
     "tailwindcss": "^3.4.19",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
+    "vite": "^7.3.2",
     "wrangler": "^4.76.0"
   }
 }