fix(db-postgres): patch SQL injection vulnerability by upgrading drizzle-orm and pg

Author: siimsams

packages/db-d1-sqlite/package.json

@@ -74,14 +74,14 @@
     "@payloadcms/drizzle": "workspace:*",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
+    "drizzle-orm": "0.45.2",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "9.0.0"
   },
   "devDependencies": {
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "@types/uuid": "10.0.0",
     "payload": "workspace:*"

packages/db-postgres/package.json

@@ -75,11 +75,11 @@
   },
   "dependencies": {
     "@payloadcms/drizzle": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
-    "pg": "8.16.3",
+    "drizzle-orm": "0.45.2",
+    "pg": "8.20.0",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "10.0.0"

packages/db-postgres/src/types.ts

@@ -1,24 +1,17 @@
+import type { DrizzleAdapter } from '@payloadcms/drizzle'
 import type {
   BasePostgresAdapter,
   GenericEnum,
   MigrateDownArgs,
   MigrateUpArgs,
   PostgresSchemaHook,
 } from '@payloadcms/drizzle/postgres'
-import type { DrizzleAdapter } from '@payloadcms/drizzle/types'
-import type { DrizzleConfig, ExtractTablesWithRelations } from 'drizzle-orm'
+import type { DrizzleConfig } from 'drizzle-orm'
 import type { NodePgDatabase } from 'drizzle-orm/node-postgres'
-import type {
-  PgDatabase,
-  PgQueryResultHKT,
-  PgSchema,
-  PgTableFn,
-  PgTransactionConfig,
-  PgWithReplicas,
-} from 'drizzle-orm/pg-core'
+import type { PgSchema, PgTableFn, PgTransactionConfig, PgWithReplicas } from 'drizzle-orm/pg-core'
 import type { Pool, PoolConfig } from 'pg'
 
-type PgDependency = typeof import('pg')
+type PgDependency = typeof import('pg').default
 
 export type Args = {
   /**

packages/db-sqlite/package.json

@@ -76,14 +76,14 @@
     "@payloadcms/drizzle": "workspace:*",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
+    "drizzle-orm": "0.45.2",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "9.0.0"
   },
   "devDependencies": {
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "@types/uuid": "10.0.0",
     "payload": "workspace:*"

packages/db-vercel-postgres/package.json

@@ -75,19 +75,19 @@
   },
   "dependencies": {
     "@payloadcms/drizzle": "workspace:*",
-    "@vercel/postgres": "^0.9.0",
+    "@vercel/postgres": "^0.10.0",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
-    "pg": "8.16.3",
+    "drizzle-orm": "0.45.2",
+    "pg": "8.20.0",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "10.0.0"
   },
   "devDependencies": {
     "@hyrious/esbuild-plugin-commonjs": "0.2.6",
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "esbuild": "0.27.1",
     "payload": "workspace:*"

packages/db-vercel-postgres/src/connect.ts

@@ -42,7 +42,7 @@ export const connect: Connect = async function connect(
     // Passed the poolOptions if provided,
     // else have vercel/postgres detect the connection string from the environment
     this.drizzle = drizzle({
-      client,
+      client: client as pg.Pool,
       logger,
       schema: this.schema,
     })
@@ -55,7 +55,7 @@ export const connect: Connect = async function connect(
           connectionString,
         }
         const pool = new VercelPool(options)
-        return drizzle({ client: pool, logger, schema: this.schema })
+        return drizzle({ client: pool as unknown as pg.Pool, logger, schema: this.schema })
       })
       const myReplicas = withReplicas(this.drizzle, readReplicas as any)
       this.drizzle = myReplicas

packages/drizzle/package.json

@@ -59,15 +59,15 @@
   "dependencies": {
     "console-table-printer": "2.12.1",
     "dequal": "2.0.3",
-    "drizzle-orm": "0.44.7",
+    "drizzle-orm": "0.45.2",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "9.0.0"
   },
   "devDependencies": {
     "@libsql/client": "0.14.0",
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "payload": "workspace:*"
   },