You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks.
As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL.
Affected components
The issue affects the identifier escaping logic used by the PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects.
Impact
This issue only affects applications that pass untrusted runtime input into identifier or alias construction. Common examples include dynamic sorting, dynamic report builders, and CTE or alias names derived from request parameters.
Depending on the database dialect, query context, and database permissions, successful exploitation may enable blind or direct data disclosure, schema enumeration, query manipulation, privilege escalation, or destructive operations.
Applications that use only static schema objects, or that strictly map user input through an allowlist of known column or alias names, are not affected.
Details
In affected versions, escapeName() wrapped the identifier but did not escape the quote delimiter inside the identifier value:
PostgreSQL / SQLite / Gel: " was not doubled to ""
MySQL / SingleStore: ` was not doubled to ``
Because of this, crafted input containing the dialect-specific identifier delimiter could break out of the quoted identifier and be interpreted as SQL syntax.
A representative vulnerable pattern is dynamic sorting using untrusted input:
Starting from this version, we’ve introduced a new DrizzleQueryError that wraps all errors from database drivers and provides a set of useful information:
A proper stack trace to identify which exact Drizzle query failed
The generated SQL string and its parameters
The original stack trace from the driver that caused the DrizzleQueryError
Drizzle cache module
Drizzle sends every query straight to your database by default. There are no hidden actions, no automatic caching or invalidation - you’ll always see exactly what runs. If you want caching, you must opt in.
By default, Drizzle uses a explicit caching strategy (i.e. global: false), so nothing is ever cached unless you ask. This prevents surprises or hidden performance traps in your application. Alternatively, you can flip on all caching (global: true) so that every select will look in cache first.
Out first native integration was built together with Upstash team and let you natively use upstash as a cache for your drizzle queries
import{upstashCache}from"drizzle-orm/cache/upstash";import{drizzle}from"drizzle-orm/...";constdb=drizzle(process.env.DB_URL!,{cache: upstashCache({// 👇 Redis credentials (optional — can also be pulled from env vars)url: '<UPSTASH_URL>',token: '<UPSTASH_TOKEN>',// 👇 Enable caching for all queries by default (optional)global: true,// 👇 Default cache behavior (optional)config: {ex: 60}})});
You can also implement your own cache, as Drizzle exposes all the necessary APIs, such as get, put, mutate, etc.
You can find full implementation details on the website
importKeyvfrom"keyv";exportclassTestGlobalCacheextendsCache{privateglobalTtl: number=1000;// This object will be used to store which query keys were used// for a specific table, so we can later use it for invalidation.privateusedTablesPerKey: Record<string,string[]>={};constructor(privatekv: Keyv=newKeyv()){super();}// For the strategy, we have two options:// - 'explicit': The cache is used only when .$withCache() is added to a query.// - 'all': All queries are cached globally.// The default behavior is 'explicit'.overridestrategy(): "explicit"|"all"{return"all";}// This function accepts query and parameters that cached into key param,// allowing you to retrieve response values for this query from the cache.overrideasyncget(key: string): Promise<any[]|undefined>{
...
}// This function accepts several options to define how cached data will be stored:// - 'key': A hashed query and parameters.// - 'response': An array of values returned by Drizzle from the database.// - 'tables': An array of tables involved in the select queries. This information is needed for cache invalidation.//// For example, if a query uses the "users" and "posts" tables, you can store this information. Later, when the app executes// any mutation statements on these tables, you can remove the corresponding key from the cache.// If you're okay with eventual consistency for your queries, you can skip this option.overrideasyncput(key: string,response: any,tables: string[],config?: CacheConfig,): Promise<void>{
...
}// This function is called when insert, update, or delete statements are executed.// You can either skip this step or invalidate queries that used the affected tables.//// The function receives an object with two keys:// - 'tags': Used for queries labeled with a specific tag, allowing you to invalidate by that tag.// - 'tables': The actual tables affected by the insert, update, or delete statements,// helping you track which tables have changed since the last cache update.overrideasynconMutate(params: {tags: string|string[];tables: string|string[]|Table<any>|Table<any>[];}): Promise<void>{
...
}}
Added drizzle connection attributes to SingleStore's driver instances
Fixes
Removed unsupported by dialect full join from MySQL select api
Forced Gel columns to always have explicit schema & table prefixes due to potential errors caused by lack of such prefix in subquery's selection when there's already a column bearing same name in context
Added missing export for PgTextBuilderInitial type
Removed outdated IfNotImported type check from SingleStore driver initializer
Fixed incorrect type inferrence for insert and update models with non-strict tsconfigs (#2654)
When importing from drizzle-orm using custom loaders, you may encounter issues such as: SyntaxError: The requested module 'drizzle-orm' does not provide an export named 'eq'
This issue arose because there were duplicated exports in drizzle-orm. To address this, we added a set of tests that checks every file in drizzle-orm to ensure all exports are valid. These tests will fail if any new duplicated exports appear.
In this release, we’ve removed all duplicated exports, so you should no longer encounter this issue.
pgEnum and mysqlEnum now can accept both strings and TS enums
If you provide a TypeScript enum, all your types will be inferred as that enum - so you can insert and retrieve enum values directly. If you provide a string union, it will work as before.
bigint, number modes for SQLite, MySQL, PostgreSQL, SingleStoredecimal & numeric column types
Changed behavior of sql-js query preparation to query prebuild instead of db-side prepare due to need to manually free prepared queries, removed .free() method
Fixed MySQL, SingleStorevarchar allowing not specifying length in config
Added Gel dialect support and gel-js client support
Drizzle is getting a new Gel dialect with its own types and Gel-specific logic. In this first iteration, almost all query-building features have been copied from the PostgreSQL dialect since Gel is fully PostgreSQL-compatible. The only change in this iteration is the data types. The Gel dialect has a different set of available data types, and all mappings for these types have been designed to avoid any extra conversions on Drizzle's side. This means you will insert and select exactly the same data as supported by the Gel protocol.
Drizzle + Gel integration will work only through drizzle-kit pull. Drizzle won't support generate, migrate, or push features in this case. Instead, drizzle-kit is used solely to pull the Drizzle schema from the Gel database, which can then be used in your drizzle-orm queries.
The Gel + Drizzle workflow:
Use the gel CLI to manage your schema.
Use the gel CLI to generate and apply migrations to the database.
Use drizzle-kit to pull the Gel database schema into a Drizzle schema.
Use drizzle-orm with gel-js to query the Gel database.
Here is a small example of how to connect to Gel using Drizzle:
// Make sure to install the 'gel' package import{drizzle}from"drizzle-orm/gel";import{createClient}from"gel";constgelClient=createClient();constdb=drizzle({client: gelClient});constresult=awaitdb.execute('select 1');
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@noble/hashes@1.8.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm @noble/hashes is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@noble/hashes@1.8.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
License policy violation: npm antlr4ts under BSD-3-Clause-HP
License: BSD-3-Clause-HP - The applicable license policy does not permit this license (5) (package/LICENSE)
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/antlr4ts@0.5.0-alpha.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm drizzle-orm is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/drizzle-orm@0.45.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/npm-drizzle-orm-vulnerability
branch
from
This PR contains the following updates:
^0.39.3→^0.45.0Drizzle ORM has SQL injection via improperly escaped SQL identifiers
CVE-2026-39356 / GHSA-gpj5-g38j-94v9
More information
Details
Summary
Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific
escapeName()implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks.As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as
sql.identifier(),.as(), may allow an attacker to terminate the quoted identifier and inject SQL.Affected components
The issue affects the identifier escaping logic used by the PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects.
Impact
This issue only affects applications that pass untrusted runtime input into identifier or alias construction. Common examples include dynamic sorting, dynamic report builders, and CTE or alias names derived from request parameters.
Depending on the database dialect, query context, and database permissions, successful exploitation may enable blind or direct data disclosure, schema enumeration, query manipulation, privilege escalation, or destructive operations.
Applications that use only static schema objects, or that strictly map user input through an allowlist of known column or alias names, are not affected.
Details
In affected versions,
escapeName()wrapped the identifier but did not escape the quote delimiter inside the identifier value:"was not doubled to""`was not doubled toBecause of this, crafted input containing the dialect-specific identifier delimiter could break out of the quoted identifier and be interpreted as SQL syntax.
A representative vulnerable pattern is dynamic sorting using untrusted input:
updated_atcolumn to theneon_auth.users_synctable definition.v0.44.2Compare Source
tsconfig: #4535, #4457v0.44.1Compare Source
v0.44.0Compare Source
Error handling
Starting from this version, we’ve introduced a new
DrizzleQueryErrorthat wraps all errors from database drivers and provides a set of useful information:Drizzlequery failedDrizzle
cachemoduleDrizzle sends every query straight to your database by default. There are no hidden actions, no automatic caching or invalidation - you’ll always see exactly what runs. If you want caching, you must opt in.
By default, Drizzle uses a explicit caching strategy (i.e.
global: false), so nothing is ever cached unless you ask. This prevents surprises or hidden performance traps in your application. Alternatively, you can flip on all caching (global: true) so that every select will look in cache first.Out first native integration was built together with Upstash team and let you natively use
upstashas a cache for your drizzle queriesYou can also implement your own cache, as Drizzle exposes all the necessary APIs, such as get, put, mutate, etc.
You can find full implementation details on the website
For more usage example you can check our docs
v0.43.1Compare Source
Fixes
v0.43.0Compare Source
Features
cross join(#1414)left,inner,crossjoins toPostgreSQL,MySQL,Gel,SingleStoreSingleStore's driver instancesFixes
full joinfromMySQLselect apiGelcolumns to always have explicit schema & table prefixes due to potential errors caused by lack of such prefix in subquery's selection when there's already a column bearing same name in contextPgTextBuilderInitialtypeIfNotImportedtype check fromSingleStoredriver initializertsconfigs (#2654)nowaitflag (#3554)v0.42.0Compare Source
Features
Duplicate imports removal
When importing from
drizzle-ormusing custom loaders, you may encounter issues such as:SyntaxError: The requested module 'drizzle-orm' does not provide an export named 'eq'This issue arose because there were duplicated exports in
drizzle-orm. To address this, we added a set of tests that checks every file indrizzle-ormto ensure all exports are valid. These tests will fail if any new duplicated exports appear.In this release, we’ve removed all duplicated exports, so you should no longer encounter this issue.
pgEnumandmysqlEnumnow can accept both strings and TS enumsIf you provide a TypeScript enum, all your types will be inferred as that enum - so you can insert and retrieve enum values directly. If you provide a string union, it will work as before.
Improvements
inArrayacceptReadonlyArrayas a value - thanks @Zamiell@planetscale/database's execute - thanks @ayrtonInferEnumtype - thanks @totigmIssues closed
v0.41.0Compare Source
bigint,numbermodes forSQLite,MySQL,PostgreSQL,SingleStoredecimal&numericcolumn typessql-jsquery preparation to query prebuild instead of db-side prepare due to need to manually free prepared queries, removed.free()methodMySQL,SingleStorevarcharallowing not specifyinglengthin configMySQL,SingleStorebinary,varbinarydata\type mismatchesnumeric\decimaldata\type mismatches: #1290, #1453drizzle-studio+AWS Data Apiconnection issue: #3224isConfigutility function checking types of wrong fieldssupportBigNumbersin auto-createdmysql2driver instances1231(numeric[]),1115(timestamp[]),1185(timestamp_with_timezone[]),1187(interval[]),1182(date[]), preventing precision loss and data\type mismatchesSQLitebuffer-modeblobsometimes returningnumber[]v0.40.1Compare Source
Updates to
neon-httpfor@neondatabase/serverless@1.0.0- thanks @jawjStarting from this version, drizzle-orm will be compatible with both
@neondatabase/serverless<1.0 and >1.0v0.40.0Compare Source
New Features
Added
Geldialect support andgel-jsclient supportDrizzle is getting a new
Geldialect with its own types and Gel-specific logic. In this first iteration, almost all query-building features have been copied from thePostgreSQLdialect since Gel is fully PostgreSQL-compatible. The only change in this iteration is the data types. The Gel dialect has a different set of available data types, and all mappings for these types have been designed to avoid any extra conversions on Drizzle's side. This means you will insert and select exactly the same data as supported by the Gel protocol.Drizzle + Gel integration will work only through
drizzle-kit pull. Drizzle won't supportgenerate,migrate, orpushfeatures in this case. Instead, drizzle-kit is used solely to pull the Drizzle schema from the Gel database, which can then be used in yourdrizzle-ormqueries.The Gel + Drizzle workflow:
gelCLI to manage your schema.gelCLI to generate and apply migrations to the database.Here is a small example of how to connect to Gel using Drizzle:
and drizzle-gel schema definition
On the drizzle-kit side you can now use
dialect: "gel"For a complete Get Started tutorial you can use our new guides:
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
This change is