fix(db-postgres): patch SQL injection vulnerability by upgrading drizzle-orm and pg#16168
fix(db-postgres): patch SQL injection vulnerability by upgrading drizzle-orm and pg#16168siimsams wants to merge 1 commit intopayloadcms:mainfrom
Conversation
siimsams
changed the title
|
I went a bit down a rabbit hole with this one. The initial goal was just to use After that, I noticed Drizzle had released a patch related to SQL injection, so I upgraded that as well. While doing that, I ran into type issues around This ended up being a much larger set of changes than originally intended. Let me know or split this up yourself if needed. |
|
Yeah let's make a PR which just updates PG and Drizzle, I'd like to review switching the package for vercel separately. |
| } | ||
| const pool = new VercelPool(options) | ||
| return drizzle({ client: pool, logger, schema: this.schema }) | ||
| return drizzle({ client: pool as unknown as pg.Pool, logger, schema: this.schema }) |
There was a problem hiding this comment.
These were needed as the types no longer match to the deprecated Vercel Postgres package.
Here are the changes fixing this uglyness.
siimsams#1
siimsams
changed the title
siimsams
force-pushed
the
upgrade-drizzle-and-pg-versions
branch
from
58bfd66 to
a13ef5d
Compare
|
@r1tsuu I split it out. The Neon one is here siimsams#1 I will switch base to payload as soon as this gets merged. |
siimsams
changed the title
2 participants
What?
Upgrade
drizzle-ormfrom 0.44.7 to 0.45.2 andpgfrom 8.16.3 to 8.20.0 (with@types/pg8.10.2 → 8.20.0) across all database adapter packages.Why?
Security:
drizzle-orm@0.45.2patches an SQL injection vulnerability (CWE-89) insql.identifier()andsql.as()where values were not properly escaped.Maintenance: Bringing
pg/@types/pgcurrent picks up upstream fixes and keeps the adapters aligned with the types the rest of the monorepo already resolves.The
@vercel/postgres→@neondatabase/serverlessmigration has been split out into a separate PR for independent review. siimsams#1How?
drizzle-orm0.44.7 → 0.45.2 indb-postgres,db-sqlite,db-d1-sqlite,db-vercel-postgres,drizzlepg8.16.3 → 8.20.0 and@types/pg8.10.2 → 8.20.0 indb-postgres,db-vercel-postgres,drizzledb-postgres/src/types.ts: FixPgDependencytype totypeof import('pg').default—@types/pg@8.20.0added anindex.d.mtswith ESM types wherePGis a module-level declaration, making the oldtypeof import('pg')incompatible with the default importdb-vercel-postgres/src/connect.ts: Castclienttopg.Poolat the twodrizzle()call sites.drizzle-orm@0.45.2tightenedNodePgClienttopg.Pool | PoolClient | Client, andVercelPoolextends@neondatabase/serverless'sPool(notpg's), so the cast is required to satisfy the stricter type while preserving runtime behavior.